p3scan (pop3 proxy)

使用者有時需要收外部郵件,但:
1.害怕病毒入侵
2.防火牆擋住
3.圾垃郵件問題
為了不讓使用者對你多所抱怨,我們現在可以開放公司使用者收外部郵件,但是如何防堵上述的缺點,建議使用p3scan軟體,並設定其可以掃毒,或許也可以 設定一下 spamassassin(垃圾郵件過濾).

安裝及設定:
下載p3scan
http://p3scan.sourceforge.net/
#2004/12/20:
1.使用FC3重設一次,雖然p3scan已經更新到 2.0,但設定檔內的參考設定防毒軟體

scanner = 命令是錯的不是--disable-summary,而是 --no-summary 請詳情參考man clamdscan

p3scan.conf中clamav的設定
virusregexp = .*: (.*) FOUND
scanner = /usr/bin/clamdscan --no-summary
scannertype = basic
最簡單的設定,除了上述三行之外,其可以完全不設,然後是iptables的設定(參考頁尾)
其環境檔如下:
##########################################################################
#                                                                        #
#                         P3Scan Version 1.0                             #
#                       default configuration file                       #
#                      all params are set to default                     #
#                                                                        #
##########################################################################
#
# PID File
#   where to write a pid-file
#   default: /var/run/p3scan/p3scan.pid
# pidfile = /var/run/p3scan/p3scan.pid

#
# Max Childs
#   最大連線的行程
#   default: 10
# maxchilds = 10

#
# IP Address
#   The IP Address we listen on default: 0.0.0.0 (any address)
ip = 192.168.0.253

#   default: 8110
#
#port = 8110
#
# Username
#
#   The username the daemon should run as. Takes no effect when you
#   start as a non-root user.
#   default: mail
# user = mail

#
# Notify Directory
#    Create notification mails in <DIR>. Also used for temporary storage.
#  default: /var/spool/p3scannotify
#notifydir = /var/spool/p3scannotify

#
# Virus Directory
#
#  感染病毒時暫存的目錄
#
#   default: /var/spool/p3scan
#
# virusdir = /var/spool/p3scan

#
# Just Delete
#
#  感染病毒的動作
#
#  default: Keep infected messages in Virus Directory
#
#justdelete

#
# Bytes Free
#
#  The number of KB's there must be free before processing any mail.
#  If there is less than this amount, p3scan will terminate any
#  connections until the problem is resolved.
#
#  default: bytesfree = 0 (disable checking for space)
# Sample: If you want to ensure 100MB are free
#bytesfree = 100000


#   default: basic
#
scannertype = basic
scanner = /usr/bin/clamscan --no-summary
#
# deMIME Setting
#
#   Uncomment this if we should parse all MIME-sections instead of passing
#   the as-it-is mail to the scanner.
#
#   default: <no demime>
demime

virusregexp = .*: (.*) FOUND
# Enable Spam checking
#
#  If set, will scan for Spam before scanning for a virus.
#
#  P3scan has been tested with Mail::SpamAssassin v2.6 and it
#  uses the interface spamd/spamc.
#
#  You should start spamd before running p3scan. For example:
#  "spamd -L -d" (run in local mode only, daemonize)
#  man spamd for more information.
#
#  default: no checking of spam
# checkspam

#
# Mail::SpamAssassin
#
#  Where to find spamc, the link to the SpamAssassin daemon spamd.
#
# spamcheck = /usr/bin/spamc

#
# Rename Attachments
#
#  If renattach is installed and this option is un-commented, we
#  will execute renattach to rename dangerous attachments.
#  (See README for more information)
#
#  default: none
#
# renattach = /usr/local/bin/renattach

#
# Overwrite (disable) HTML
#
#  If a person views an HTML message, not only can the client
#  download pictures automatically, it enables someone viewing
#  the remote log file to confirm the email address is valid
#  make it "worth" keeping/selling, etc...
#
#  default: do not disable HTML
#
#overwrite

#
#Debug
#
#    Turn on debugging.
#
#    default: off
# debug

#
# Quiet
#
#  Disable reporting of normal operating messages. Only report errors
#  or critical information.
#
# default: display all less debug info
# quiet

#
# Template
#
#  Where to look for an email-template when our own mail has to be send
#  instead of an infected mail. That file has to be exist, otherwise
#  p3scan will send an RFC unconform -ERR and closes the connections.
#  The email-template should be a complete email, that means a
#  mail-header (to, from, subject, date) , specify also content-type, and
#  so on. Also the leading dot is necessary (just a dot and no more in
#  the last line). You can use some key- words which will be replaced
#  when sending, e.g. %MAILDATE%.
#  default: /etc/p3scan/p3scan.mail
#
# template = /etc/p3scan/p3scan.mail

# END of configuration


clamav設定
1.下載:至網站www.clamav.net 下載
2.安裝完畢後-設定clamd.conf
其中有一個設定值User clamav不能設定(使用預設root),否則將因權限的問題而無法掃描檔案(/var/spool/p3scan)其中權限700而使用者及群組為 mail.root
3.啟動clamd
  service clamd start

iptables將所有內部的ip 要收信轉向p3scan的程式
iptables -A PREROUTING -t nat -p tcp -m tcp -s $Lan_ip --dport 110 -j REDIRECT --to-ports 8110
其中$Lan_ip 是你內部的ip段如192.168.0.0/24
設定p3scan的主機,必需是其它電腦的gateway
#2.0的版本在/etc/init.d/p3scan中包含了多個功能
start,stop,restart,condrestart,status,satrt_fw,stop_fw
其中start_fw,stop_fw是設定iptables 包含了三條規則:
iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 110 -j REDIRECT --to 8110
iptables -t nat -I OUTPUT -p tcp --dport 110 -j REDIRECT --to 8110
iptables -t nat -I OUTPUT -p tcp --dport 110 -m owner --uid-owner mail -j ACCEPT

其中 eth0可能會有問題,因為你有至少兩個網卡,但eth0或eth1是私人ip並不是一定的,因此可能需要修改
啟動停止p3scan的iptables規則,如常態
service p3scan start_fw
service p3scan stop_fw

測試
基本測試
1.啟動p3scan -
  service p3scan start
2.設定測試的電腦預設gateway為設定p3scan的電腦ip,然後在你的mail client端軟體設定外部收信的帳號,傳送接收測試

進階測試
1.編輯/etc/p3scan/p3scan.conf,將debug前的註解#去掉
2.在shell執行p3scan,它會執行p3scan並顯示詳細的資料,並等待連線
3.同基本測試2
4.所有的訊息可以在2的shell連線看到


至於smtp雖然有軟體,但最好是 不要開放,都將其relay到公司的外送郵件伺服器,由它來做檢查(病毒,圾垃郵件)