help me !!!! p3scan+clamav
請教各位:小弟配置了一個使用p3scan代理的郵件伺服器,想設置垃圾郵件和殺毒,殺毒軟體使用的是clamav,現在,先啟動clamd ,后啟動p3scan,但是每次收取郵件時,clamav 要麼返回2,導致郵件不能接收,要麼就是返回0,(有病毒的郵件也查不出來)。 不知道是哪裡出現的錯誤,請各位大俠幫忙看看,現將部分調試信息貼出來,請大家幫忙看看是哪裡出現的問題。
BTW: 自己感覺應該和clamav 或p3scan配置有關係,但是確實不知道哪裡配置錯誤,隨後我將貼出我得p3scan和clamav的配置信息。
19:14:52 p3scan: Forked, pid=4250, numprocs=1
19:14:52 p3scan: setting the virusdir to /var/spool/p3scan/children/4250/
19:14:52 p3scan: Initialize Context
19:14:52 p3scan: starting proxy
19:14:52 p3scan: POP3 Connection from 10.11.0.1:4095
19:14:52 p3scan: Real-server address is 202.108.3.231:110
19:14:52 p3scan: starting mainloop
19:14:52 p3scan: <-- +OK pop3 proxy server ready
19:14:52 p3scan: --> USER test@sina.com.cn
19:14:52 p3scan: USER 'test@sina.com.cn'
19:14:53 p3scan: <-- +OK
19:14:53 p3scan: --> PASS test
19:14:53 p3scan: <-- +OK
19:14:53 p3scan: --> STAT
19:14:53 p3scan: <-- +OK 1 56442
19:14:53 p3scan: --> UIDL
19:14:53 p3scan: <-- +OK
19:14:53 p3scan: <-- 1 1161259962.77939.mail3-198.sinamail.sina.com.cn
19:14:53 p3scan: <-- .
19:14:53 p3scan: --> LIST
19:14:53 p3scan: <-- +OK
19:14:54 p3scan: <-- 1 56442
19:14:54 p3scan: <-- .
19:14:54 p3scan: --> RETR 1
19:14:54 p3scan: RETR 1 (1)
19:14:54 p3scan: <-- +OK
19:14:54 p3scan: Caught MIME/Subj line, closing header buffer.
19:14:54 p3scan: Informing email client to wait...
19:14:54 p3scan: notified=1
19:14:55 p3scan: got '.\r\n', mail is complete.
19:14:55 p3scan: Invoking scanner
19:14:55 p3scan: Bash scanner says hello
19:14:55 p3scan: popen /usr/bin/clamdscan --no-summary '/var/spool/p3scan/children/4250/p3scan.IZEKqb' '"test1" <test1@yahoo.com.cn>' '"test" <test@sina.com.cn>' 'test@sina.com.cn' 'he' 'Thu, 19 Oct 2006 19:14:55 +0800' '202.108.3.231' '110' '10.11.0.1' '4095' 'POP3' 'P3Scan' '2.3.2' '(null)' 2>&1
19:14:55 p3scan: vi : ''
19:14:55 p3scan: Scanner returned signal 2
19:14:55 p3scan: WARNING: Your scanner returned neither 0, a viruscode, nor a good viruscode, but 2
19:14:55 p3scan: Scanner returned -1
19:14:55 p3scan: ERR: We can't say if it is a virus! So we have to give the client the mail! You should check your configuration/system
19:14:55 p3scan: ERR: Scanner returned unexpected error code. You should check your configuration/system.
19:14:55 p3scan: ERR: Exiting now...
ERR: Scanner returned unexpected error code. You should check your configuration/system.
19:14:55 p3scan: echo 'Scanner returned unexpected error code. You should check your configuration/system.' | /bin/mail -s 'P3Scan Terminating!' root@localhost postmaster@localhost
19:14:55 p3scan: setting the virusdir to /var/spool/p3scan/children/4257/
19:14:55 p3scan: Initialize Context
19:14:55 p3scan: starting proxy
19:14:55 p3scan: Forked, pid=4257, numprocs=2
19:14:55 p3scan: POP3 Connection from 10.11.0.1:4097
19:14:55 p3scan: Real-server address is 202.108.3.231:110
19:14:55 p3scan: starting mainloop
19:14:55 p3scan: <-- +OK pop3 proxy server ready
19:14:55 p3scan: --> USER test@sina.com.cn
19:14:55 p3scan: USER 'test@sina.com.cn'
19:14:55 p3scan: <-- +OK
19:14:55 p3scan: --> PASS test
19:14:55 p3scan: <-- +OK
19:14:55 p3scan: --> TOP 1 1
19:14:55 p3scan: Ignoring client TOP request.
do_sigterm_proxy2, signal 1
ERR: We cot SIGTERM!
Uninit context
19:14:56 p3scan: ERR: Unable to free memory not previously allocated: <i
19:14:56 p3scan: ERR: Attention: child with pid 4250 died with abnormal termsignal (11)! This is probably a bug. Please report to the author. numprocs is now 1
19:14:56 p3scan: Erasing /var/spool/p3scan/children/4250/ contents
19:14:56 p3scan: Unlinking (/var/spool/p3scan/children/4250/p3shdr.gP9kHc)
19:14:56 p3scan: Unlinking (/var/spool/p3scan/children/4250/p3scan.IZEKqb)
19:14:56 p3scan: Removing directory /var/spool/p3scan/children/4250/
《解決方案》
p3scan config
由於配置文件很大,怕大家看的感覺麻煩,我在這裡貼出了我改動的部分。謝謝。
# P3Scan Version 2.3.2 #
# PID File
#
# where to write a pid-file
#
# default: /var/run/p3scan/p3scan.pid
#
pidfile = /var/run/p3scan/p3scan.pid
#
# Max Child's
#
# The maximum number of connections we will handle at once. Any further
# connections will be dropped. Keep in mind that a number of 10 also
# means that 10 viruscanners can run at once.
#
# default: 10
#
maxchilds = 10
#
# IP Address
# The IP Address we listen on default: 0.0.0.0 (any address)
#
ip = 0.0.0.0
#
# Port
#
# The tcp port on we should listen. If you need a privileged port you
# need to start p3scan as root (but don't set username to root,
# that's not necessary, because first after opening the port we will
# switch to that user).
#
# default: 8110
#
port = 8110
#
# TargetIP, TargetPort
#
# targetip and targetport are the ip and port to connect -
# default is 0.0.0.0 (transparent proxy mode) and 8110 respectively
#
# default: targetport is ignored in transparent proxy mode
#
# targetip = 0.0.0.0
# targetport = 8110
#
# Useurl
#
# Parse username for destination url vice using iptables redirection.
# To use this you should have your email clients replace the username
# in the email client username field with "username#destinationurl:port"
# and replace the destination url/port with the url/port of p3scan.
#
# Example:
# From:
# username: laitcg host: pop.gmail.com port: 110
# To:
# username: laitcg#pop.gmail.com:110 host: <url of p3scan machine> port: 8110
#
# default: <none>
#
# useurl
#
# Email (SMTP) Port
#
# The port we should listen on to scan outgoing email messages.
#
# default: 25
#
# emailport = 25
#
# Username
#
# The username the daemon should run as. Takes no effect when you
# start as a non-root user.
#
# default: mail
#
user = mail
# Notify Directory
#
# Create notification mails in <DIR>. Also used for temporary storage.
#
# default: /var/spool/p3scan/notify
notifydir = /var/spool/p3scan/notify
#
# Virus Directory
#
# The directory in which infected mails will be stored. It is also
# used for temporary storing. Ensure that the above specified user is
# allowed to write into!
#
# default: /var/spool/p3scan
#
virusdir = /var/spool/p3scan
#
# Just Delete
#
# Instead of keeping an infected message in the Virus Directory, delete
# it after reporting it to the user.
#
# default: Keep infected messages in Virus Directory
#
justdelete
#
# Extra Notification Recipient
#
# When an infection message is sent to the client, send a copy of the
# message to the address(s) specified here, separated by a space.
#
# NOTE: If there is a file named "p3scan.extra" it will be treated just
# like p3scan.mail (see "template") and sent to the recipients listed here.
# For example:
# /etc/p3scan/p3scan.mail -> /etc/p3scan/p3scan-en.mail
# /etc/p3scan/p3scan.extra -> /etc/p3scan/p3scan-ru.mail
#
# default: Do not notify anyone else
#
# extra = root@localhost postmaster@localhost
#
# Extra Notification Recipient mail program
#
# Use this program to send Extra Notification.
#
# default: /bin/mail
#
# xmail =
#
# Bytes Free
#
# The number of KB's there must be free before processing any mail.
# If there is less than this amount, p3scan will notify the emergency
# contact address and then terminate itself.
#
# NOTE: p3scan could need (2 * msgsize) * children disk space free.
# Being this is dynamic (not all space is needed all the time),
# you should ensure you have more than enough disk space.
## default: bytesfree = 10000 (10MB)
# Sample: If you want to ensure 100MB are free
# bytesfree = 100000
#
# Emergency Contact
#
# In the event p3scan encounters a catastrophic problem and has to terminate,
# it will send an email to these email addresses just before setting up to
# close down on the next iteration of a child process.
#
# default: root@localhost postmaster@localhost
#
# emergcon =
#
# Scanner Type
#
# Select here which type of scanner you want to use.
#
# Basic:
#
# This is the default. The configured executable (set in variable
# "scanner") will be invoked. You can also specify parameters (we are
# using /bin/sh). At the end the path to the mail and a "2>&1" is
# appended. The program can tell us if it's a virus returning Scanner
# Returncode (see below) or exit code 0 means, with all ok, all
# others are reported to syslog, but mails will be delivered unless
# justdelete is enabled above. The output is scanned using a regular
# expression which describes where the virusname can be found
# (see virusregexp).
# Bash
#
# This scanner type allows you to do whatever you want with the
# variables passed to it and can also allow you to call multiple
# scanners, etc... See p3scan.sh for an example of all the variables.
# scannertype = bash
#
# default: basic
#
# scannertype = avpd
# scannertype = avpd_new
scannertype = bash
# scannertype = basic
# scannertype = clamd
# scannertype = trophie
# Virusscanner
#
# Depends on scannertype. Read the above section of that scannertype
# you're going to use and you do not need to ask what to fill in here.
#
# default: depending on scannertype:
# basic : <no default>
# bash: : /path/to/filename
# avpd : /var/run/
# avpd_new: /var/run/
# trophie : /var/run/trophie
# clamd : tcp/ip connection
#
#
# Sample: scannertype basic using McAfee UVSCAN:
# scanner = /usr/local/uvscan/uvscan
# Sample: scannertype basic using McAfee UVSCAN:
# scanner = /usr/local/uvscan/uvscan
# Sample: scannertype basic using FRISK F-Prot Antivirus:
# scanner = /usr/local/bin/f-prot -archive=5 -ai
# Sample: scannertype basic using ClamAV:
# scanner = /usr/bin/clamdscan --no-summary
scanner = /usr/bin/clamdscan --no-summary
# Sample: scannertype clamd using ClamAV in TCPSocket mode:
# scanner = 127.0.0.1:3310
# Sample: scannertype bash using p3scan.sh for testing:
# scanner = /usr/local/sbin/p3scan.sh
#
# Scanner Returncode
#
# Specify the returncode(s) which the scanner returns when the mail is
# infected. P3Scan does its part (sending the notification and not the
# infected mail) only when it gets the specified returncode(s).
# A returncode value of 0 from the scanner is assumed to mean that the
# message is clean. Any other unspecified value will add warning lines
# to your logfiles but THE MESSAGE WILL BE DELIVERED!
#
# Only used from scannertype 'basic'.
#
# default: 1
#
# Sample: scannertype basic using McAfee UVSCAN:
# viruscode = 13
# Sample: scannertype basic using FRISK F-Prot Antivirus:
# viruscode = 3,8
# Good Scanner return codes
#
# Some scanners can report more than good or infected. Place valid return
# codes here that will enable the message to be delivered without a
# warning. For example, Kaspersky Anti-Virus reports code 10 for an
# encrypted .zip file.
#
# default: none
# Sample: goodcode = 10
# goodcode =
#
# Regular Expression for Virusname
#
# Specify here a regular expression which describes where the name of the
# virus can be found. If not specified, the first substring is used;
# specify it appending '/' and the substring number (1-9) at the end.
# PerlCompatibleRegularExpressions are used, case sensitive and the
# ungreedy option. Only used by scannertype 'basic'.
#
# default: <none>
#
# Sample: McAfee UVSCAN
# virusregexp = ^[[:space:]]*Found( the|:)[[:space:]]*(.*)[[:space:]]*(|virus[^a-z.]*)$/2
# Sample: FRISK F-Prot Antivirus
# virusregexp = (?=Infection\:)[[:space:]]*(.*)$
# Sample: ClamAV
virusregexp = .*: (.*) FOUND
#
《解決方案》
clamav config
這裡是clamav的配置,麻煩大家幫我看看了,這個問題困擾我兩天了。謝謝!!
BTW:紅色部分是我迷惑得地方,請各位大俠解釋一下!!!!
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##
# Comment or remove the line below.
#Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
#LogFile /tmp/clamd.log
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if you want to run another clamd instance,
# please # copy the configuration file, change the LogFile variable, and run
# the daemon with the --config-file option).
# This option disables log file locking.
# Default: disabled
#LogFileUnlock
# Maximal size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
# Default: 1M
LogFileMaxSize 2M
# Log time with each message.
# Default: disabled
#LogTime
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: disabled
#LogClean
# Use system logger (can work together with LogFile).
# Default: disabled
#LogSyslog
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: disabled
#LogVerbose
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
#PidFile /var/run/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#TemporaryDirectory /var/tmp
# Path to the database directory.
# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /usr/local/clamav/share/clamav
# The daemon works in a local OR a network mode. Due to security reasons we
# recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled
LocalSocket /tmp/clamd
# Remove stale socket after unclean shutdown.
# Default: disabled
FixStaleSocket
# TCP port address.
# Default: disabled
#TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: disabled
#TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default: 15
#MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# Maximal depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: disabled
#FollowDirectorySymlinks
# Follow regular file symlinks.
# Default: disabled
#FollowFileSymlinks
# Perform internal sanity check (database integrity and freshness).
# Default: 1800 (30 min)
#SelfCheck 600
# Execute a command when virus is found. In the command string %v will
# be replaced by a virus name.
# Default: disabled
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
# Run as a selected user (clamd must be started by root).
# Default: disabled
User clamav
## Mail files
##
# Enable internal e-mail scanner.
# Default: enabled
ScanMail
# If an email contains URLs ClamAV can download and scan them.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: disabled
#MailFollowURLs
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: enabled
ScanHTML
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# Default: enabled
ScanArchive
# Due to license issues libclamav does not support RAR 3.0 archives (only the
# old 2.0 format is supported). Because some users report stability problems
# with unrarlib it's disabled by default and you must uncomment the directive
# below to enable RAR 2.0 support.
# Default: disabled
ScanRAR
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# Files in archives larger than this limit won't be scanned.
# Value of 0 disables the limit.
# Default: 10M
ArchiveMaxFileSize 15M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deep the process should be continued.
# Value of 0 disables the limit.
# Default: 8
#ArchiveMaxRecursion 9
# Number of files to be scanned within an archive.
# Value of 0 disables the limit.
# Default: 1000
#ArchiveMaxFiles 1500
# If a file in an archive is compressed more than ArchiveMaxCompressionRatio
# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip)
# Value of 0 disables the limit.
# Default: 250
《解決方案》
有個地方貼錯了!
在p3scan的配置裡邊,是:
scannertype = basic。
而不是:
scannertype = bash.
有些亂了,對不起。