# [SOLVED] p3scan doesn't work

## magowiz

Hi to everybody,

I configured p3scan for waiting connections at port 8110 and iptables to redirect pop3 and pop3s to 8110, but now how can I know if thunderbird really connects to p3scan? ln /var/log/messages I don't see anything. These are my p3scan, iptables and clam configurations:

/etc/iptables.bak :

```
# Generated by iptables-save v1.3.5 on Wed May 16 14:19:15 2007

*raw

:PREROUTING ACCEPT [69:16955]

:OUTPUT ACCEPT [64:9347]

COMMIT

# Completed on Wed May 16 14:19:15 2007

# Generated by iptables-save v1.3.5 on Wed May 16 14:19:15 2007

*nat

:PREROUTING ACCEPT [5:212]

:POSTROUTING ACCEPT [4:240]

:OUTPUT ACCEPT [4:240]

-A PREROUTING -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110

-A PREROUTING -p tcp -m tcp --dport 995 -j REDIRECT --to-ports 8110

COMMIT

# Completed on Wed May 16 14:19:15 2007

# Generated by iptables-save v1.3.5 on Wed May 16 14:19:15 2007

*mangle

:PREROUTING ACCEPT [69:16955]

:INPUT ACCEPT [69:16955]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [64:9347]

:POSTROUTING ACCEPT [70:10541]

COMMIT

# Completed on Wed May 16 14:19:15 2007

# Generated by iptables-save v1.3.5 on Wed May 16 14:19:15 2007

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [64:9347]

-A INPUT -s 127.0.0.1 -j ACCEPT

-A INPUT -s 2.1.21.41 -j ACCEPT

-A INPUT -s 2.1.21.42 -j ACCEPT

-A INPUT -s 2.1.21.43 -j ACCEPT

-A INPUT -s 2.1.21.44 -j ACCEPT

-A INPUT -s 2.1.21.45 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 9700:9712 -j ACCEPT

-A INPUT -p udp -m udp --dport 4672 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT

-A INPUT -p udp -m udp --dport 4662 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 4672 -j ACCEPT

-A INPUT -p udp -m udp --dport 4665 -j ACCEPT

-A INPUT -p udp -m udp --dport 9700:9712 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 8110 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT

# Completed on Wed May 16 14:19:15 2007 
```

/etc/p3scan/p3scan.conf : 

```
user = clamav

 scannertype = basic

scanner=/usr/bin/clamdscan

 virusregexp = .*: (.*) FOUND

 demime

 footer = /usr/bin/clamdscan -V 
```

and finally /etc/clam.conf :

```
LogFile /var/log/clamav/clamd.log

LogTime yes

PidFile /var/run/clamav/clamd.pid

LocalSocket /var/run/clamav/clamd.sock

User clamav
```

where can I check if p3scan receives connections from thunderbird?Last edited by magowiz on Sat Jun 02, 2007 12:27 pm; edited 4 times in total

----------

## sybille

 *magowiz wrote:*   

> Where can I check if p3scan receives connections from Thunderbird?

 

Hi, I'm trying to get p3scan working too. It's not working for me yet, but I have figured out one way to see what it is doing.

Stop the p3scan service, and then start it in a console as follows:

```
# p3scan --debug
```

Then try to receive mail with Thunderbird. If p3scan is having a problem, it will print it to the console.

Right now, p3scan is telling me that there is a problem with write access:

```
09:01:55 p3scan[22553]: Waiting for connections.....

09:01:58 p3scan[22555]: setting the virusdir to /var/spool/p3scan/children/22555/

09:01:58 p3scan[22555]: ERR: Could not create virusdir /var/spool/p3scan/children/22555/

09:01:58 p3scan[22555]: ERR: Exiting now...
```

I don't know why that's happening. I've tried running p3scan as user mail (the default) and clamav (since I read to do that in a howto), and in each case I've changed the permissions on /var/spool/p3scan/ so that the p3scan user should be able to write there. So, for now I'm stumped.

Maybe you will see the same error as I do? In any case, I hope we can both figure it out.  :Smile: 

----------

## magowiz

p3scan --debug doesn't say me nothing when i download mail:

```
p3scan --debug

11:16:38 p3scan[15557]: P3Scan Version 2.3.1

11:16:38 p3scan[15557]: Selected scannertype: basic (Basic file invocation scanner)

11:16:38 p3scan[15557]: Listen now on 0.0.0.0:8110

11:16:38 p3scan[15557]: Changing uid (we are root)

11:16:38 p3scan[15557]: Running as user: clamav

11:16:38 p3scan[15557]: RX compiled succesfully

11:16:38 p3scan[15557]: p3scan.conf:

11:16:38 p3scan[15557]: pidfile: /var/run/p3scan/p3scan.pid

11:16:38 p3scan[15557]: maxchilds: 10

11:16:38 p3scan[15557]: ip: Any

11:16:38 p3scan[15557]: port: 8110

11:16:38 p3scan[15557]: targetip/port disabled

11:16:38 p3scan[15557]: user: clamav

11:16:38 p3scan[15557]: notifydir: /var/spool/p3scan/notify

11:16:38 p3scan[15557]: virusdir: /var/spool/p3scan

11:16:38 p3scan[15557]: justdelete: disabled

11:16:38 p3scan[15557]: bytesfree: 10000

11:16:38 p3scan[15557]: demime: enabled

11:16:38 p3scan[15557]: scanner: /usr/bin/clamdscan

11:16:38 p3scan[15557]: virusregexp: .*: (.*) FOUND

11:16:38 p3scan[15557]: broken: disabled

11:16:38 p3scan[15557]: checkspam: disabled

11:16:38 p3scan[15557]: spamcheck: /usr/bin/spamc

11:16:38 p3scan[15557]: debug: enabled

11:16:38 p3scan[15557]: quiet: disabled

11:16:38 p3scan[15557]: template: /etc/p3scan/p3scan.mail

11:16:38 p3scan[15557]: subject: [Virus] found in a mail to you:

11:16:38 p3scan[15557]: notify: Per instruction, the message has been deleted.

11:16:38 p3scan[15557]: emailport: 25

11:16:38 p3scan[15557]: smtprset: Virus detected! P3scan rejected message!

11:16:38 p3scan[15557]: smtpsize: not checking.

11:16:38 p3scan[15557]: sslport: 995

11:16:38 p3scan[15557]: mail: /bin/mail

11:16:38 p3scan[15557]: timeout: 30

11:16:38 p3scan[15557]: footer: /usr/bin/clamdscan -V

11:16:38 p3scan[15557]: altvnmsg: disabled

11:16:38 p3scan[15557]: useurl: disabled

11:16:38 p3scan[15557]: emergcon: root@localhost postmaster@localhost

11:16:38 p3scan[15557]: TOP processing disabled

11:16:38 p3scan[15557]: PIPELINING processing disabled

11:16:38 p3scan[15557]: STLS processing disabled

11:16:38 p3scan[15557]: Waiting for connections.....

```

infact the debug messages terminates with

```
 Waiting for connections.....
```

after that message i press on thunderbird the get mail button but nothing more on p3scan output is written.

EDIT: Also if I terminate p3scan, the mail download works.

----------

## sybille

Well, I still haven't fully worked things out for myself. But I do have an idea about your situation.

In a thread about p3scan at mozillazine, someone suggested that 2 NAT rules are needed. In addition to the REDIRECT rule(s) that moves incoming mail from port 110 (and 995) to port 8110 where the proxy listens, the suggestion was to add another rule for the process that runs p3scan. For example:

```
iptables -t nat -I OUTPUT -p tcp --dport 110 -m owner --uid-owner clamav -j ACCEPT
```

(Change to user "mail" if you are using the default for p3scan and eventually add additional rules in the same format for the other ports like 995).

Does that make any difference?

----------

## magowiz

I made a mistake, the right rule was 

```
-A OUTPUT -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110 

 
```

, not 

```
-A PREROUTING -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110 
```

----------

## magowiz

now the problem is that p3scan receive connections but thunderbird doesn't download mail (i sent to myself a couple of mail messages).

----------

## sybille

What is the output on the command line, when running p3scan in debug mode? Or if there is no output there, have you checked the system logs?

I've been messing around with the configuration this morning and it looks like things are more or less working for me now. For the moment I've only set up rules for port 110. So my NAT rules are as follows:

```
iptables -t nat -I OUTPUT -p tcp --dport 110 -m owner --uid-owner clamav -j ACCEPT

iptables -t nat -I OUTPUT -p tcp --dport 110 -j REDIRECT --to 8110
```

My p3scan.conf reads:

```
user = clamav

scannertype = basic

scanner = /usr/bin/clamdscan --no-summary

virusregexp = .*: (.*) FOUND
```

I'm using clamdscan rather than clamscan because, in recent versions of clamav, clamscan takes a long time to finish scanning and that was slowing down the mail retrieval. Here's a thread about that: https://forums.gentoo.org/viewtopic-t-553212-highlight-clamscan.html

So I am also running clamd as a service, with the following configuration:

```
LogFile /var/log/clamav/clamd.log

LogTime yes

PidFile /var/run/clamav/clamd.pid

LocalSocket /var/run/clamav/clamd.sock

User clamav

ScanPDF yes
```

The daemon is running but I'm just using it as an on-demand file scanner with clamdscan. But I think this means that I need to run p3scan as user clamav, so that it can interact with clamd. In any case, that's how I've done it and it seems to be working so far.

In order to enable p3scan to do it's thing, I had to create two folders for it in /var/spool/p3scan: /children and /notify. These folders are owned by the user clamav and belong to the group root. And the clamav user can write to both of them. Unless I did this, p3scan was not able to function.

This all is working fine for me with Claws-mail and Thunderbird (I'm setting it up because I need to move from Claws-mail to Thunderbird for other reasons.) Maybe something in there will be useful for you!

I'm surprised you're not seeing more debug output. Maybe try flushing out your iptables rules (both regular tables and NAT) just for testing? I'm not so good at iptables myself so I'm not sure whether there are any errors in what you've set up, but if you take it down to just the NAT rules needed for p3scan (and maybe only do port 110 for troubleshooting purposes?), then that could eliminate one potential problem area.Last edited by sybille on Sat Jun 02, 2007 11:10 am; edited 1 time in total

----------

## magowiz

this is the log I get from p3scan :

```
13:03:35 p3scan[28010]: Initialize Context

13:03:35 p3scan[28010]: starting proxy

13:03:35 p3scan[28010]: POP3S Connection from 2.1.21.43:34199

13:03:35 p3scan[28010]: Real-server address is 209.85.135.109:995

13:03:35 p3scan[27983]: Forked, pid=28010, numprocs=1

13:03:35 p3scan[28010]: starting mainloop

13:03:35 p3scan[28010]: --> �=

13:03:35 p3scan[28010]: <-- +OK Gpop ready for requests from 85.18.201.162 y2pf4672124mug

13:03:35 p3scan[28010]: <-- -ERR bad command y2pf4672124mug

13:03:35 p3scan[28010]: Closing connection (no more input from server)

13:03:35 p3scan[28010]: Session done (Clean Exit). Mails: 0 Bytes: 0

13:03:35 p3scan[28010]: do_sigterm_proxy, signal -1

13:03:35 p3scan[28010]: Uninit context

13:03:35 p3scan[28010]: context_uninit done, exiting now

13:03:35 p3scan[27983]: waitpid: child 28010 died with status 0, numprocs is now 0

13:03:35 p3scan[27983]: Erasing /var/spool/p3scan/children/28010/ contents

13:03:35 p3scan[27983]: Removing directory /var/spool/p3scan/children/28010/

```

I also have the two rules you have. 

my p3scan.conf is :

```
maxchilds = 1000

user = clamav

 scannertype = basic

scanner=/usr/bin/clamdscan

 virusregexp = .*: (.*) FOUND

 demime

 timeout = 3000

 sslport =995

 footer = /usr/bin/clamdscan -V

```

I had the two folders with right permissions.

----------

## sybille

 *magowiz wrote:*   

> 
> 
> ```
> 13:03:35 p3scan[28010]: Initialize Context
> 
> ...

 

I'd say that the problem is with what your computer is sending at the beginning of the connection, that is "�=". First you get an "OK ready for requests" response, but then before anything else is sent the connection is closed.

I noticed that the server says "Gpop" rather than "POP3". Do you know why?

Here's what the beginning of a successful negotiation looks like for me with p3scan run in debug mode:

```
13:20:16 p3scan[4400]: Initialize Context

13:20:16 p3scan[4400]: starting proxy

13:20:16 p3scan[4400]: POP3 Connection from 192.168.0.1:48118

13:20:16 p3scan[4400]: Real-server address is xxx.xxx.xxx.xxx:110

13:20:16 p3scan[4389]: Forked, pid=4400, numprocs=1

13:20:16 p3scan[4400]: starting mainloop

13:20:16 p3scan[4400]: <-- +OK POP3 server ready (7.1.026) <address.of.server>

13:20:16 p3scan[4400]: --> USER xxxxx

13:20:16 p3scan[4400]: USER 'xxxxx'

13:20:16 p3scan[4400]: <-- +OK Password required

13:20:16 p3scan[4400]: --> PASS xxxxx

13:20:16 p3scan[4400]: <-- +OK 1 messages

13:20:16 p3scan[4400]: --> STAT

13:20:16 p3scan[4400]: <-- +OK 1 42163

13:20:16 p3scan[4400]: --> UIDL

13:20:16 p3scan[4400]: <-- +OK

13:20:16 p3scan[4400]: <-- 1 29877

13:20:16 p3scan[4400]: <-- .

13:20:16 p3scan[4400]: --> LIST

13:20:16 p3scan[4400]: <-- +OK

13:20:16 p3scan[4400]: <-- 1 42163

13:20:16 p3scan[4400]: <-- .

13:20:16 p3scan[4400]: --> RETR 1

13:20:16 p3scan[4400]: RETR 1 (1)

13:20:16 p3scan[4400]: <-- +OK 42163 bytes

13:20:16 p3scan[4400]: Caught MIME/Subj line, closing header buffer.

13:20:16 p3scan[4400]: Informing email client to wait...

13:20:16 p3scan[4400]: notified=1

13:20:16 p3scan[4400]: got '.\r\n', mail is complete.

13:20:16 p3scan[4400]: Invoking scanner
```

You see that the server responds with an OK and that it is identified as a POP3 server, and then the proxy sends the username and password. There is no Gpop and no characters like "�=", although I suppose that may have to do with the fact that you are using SSL. In other words, something is being encrypted.

Did you make a NAT rule for the clamav user for port 995?

----------

## magowiz

yes mine rules are :

```
-A OUTPUT -p tcp -m tcp --dport 110 -m owner --uid-owner clamav -j ACCEPT 

-A OUTPUT -p tcp -m tcp --dport 995 -m owner --uid-owner clamav -j ACCEPT 

-A OUTPUT -p tcp -m tcp --dport 995 -j REDIRECT --to-ports 8110 

-A OUTPUT -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 8110 

```

I think it says gpop because is gmail the server.

----------

## sybille

 *magowiz wrote:*   

> I think it says gpop because is gmail the server.

 

Can you try using a standard POP3 account somewhere (maybe even set one up at your ISP for testing purposes), in order to see if your configuration is OK in that context?

There seem to be some threads about using p3scan with gmail in the p3scan mailing lists on sourceforge: Link

Maybe there will be some ideas there.

----------

## magowiz

I disabled ssl, and now using gmail at 995 in plain but p3scan says:

```
 --> RETR 1

14:11:03 p3scan[17214]: RETR 1 (1)

14:11:04 p3scan[17214]: <-- +OK message follows

14:11:04 p3scan[17214]: Caught MIME/Subj line, closing header buffer.

14:11:04 p3scan[17214]: Informing email client to wait...

14:11:04 p3scan[17214]: notified=1

14:11:04 p3scan[17214]: got '.\r\n', mail is complete.

14:11:04 p3scan[17214]: DeMIMEing to /var/spool/p3scan/children/17214/p3scan.Khy4rb.dir

14:11:04 p3scan[17214]: Invoking scanner

14:11:04 p3scan[17214]: Basic scanner says hello

14:11:04 p3scan[17214]: popen /usr/bin/clamdscan '/var/spool/p3scan/children/17214/p3scan.Khy4rb.dir' 2>&1

14:11:04 p3scan[17214]: vi : ''

14:11:04 p3scan[17214]: Scanner returned signal 0

14:11:04 p3scan[17214]: Basic scanner says goodbye (goodcode)

14:11:04 p3scan[17214]: Scanner returned 0

14:11:04 p3scan[17214]: Unlinking deMIMEd files

14:11:04 p3scan[16755]: ERR: Attention: child with pid 17214 died with abnormal termsignal (11)! This is probably a bug. Please report to the author. numprocs is now 0

14:11:04 p3scan[16755]: Erasing /var/spool/p3scan/children/17214/ contents

14:11:04 p3scan[16755]: Unlinking (/var/spool/p3scan/children/17214/p3scan.Khy4rb.dir)

14:11:04 p3scan[16755]: ERR: File Error! Could not erase /var/spool/p3scan/children/17214/p3scan.Khy4rb.dir

14:11:04 p3scan[16755]: Error cleaning child directory!

```

for some reason p3scan dies...

----------

## sybille

Well, it's working for me:

```
14:19:54 p3scan[7406]: <-- +OK 4282 octets

14:19:54 p3scan[7406]: Caught MIME/Subj line, closing header buffer.

14:19:54 p3scan[7406]: Informing email client to wait...

14:19:54 p3scan[7406]: notified=1

14:19:54 p3scan[7406]: got '.\r\n', mail is complete.

14:19:54 p3scan[7406]: Invoking scanner

14:19:54 p3scan[7406]: Basic scanner says hello

14:19:54 p3scan[7406]: popen /usr/bin/clamdscan --no-summary '/var/spool/p3scan/children/7406/p3scan.uCE4rb' 2>&1

14:19:54 p3scan[7406]: vi : ''

14:19:54 p3scan[7406]: Scanner returned signal 0

14:19:54 p3scan[7406]: Basic scanner says goodbye (goodcode)

14:19:54 p3scan[7406]: Scanner returned 0

14:19:54 p3scan[7406]: Scanning done, sending mail now.

14:19:54 p3scan[7406]: Sending done.

14:19:54 p3scan[7406]: Mail action complete

14:19:54 p3scan[7406]: --> DELE 1

14:19:54 p3scan[7406]: <-- +OK 

14:19:54 p3scan[7406]: --> QUIT

14:19:54 p3scan[7406]: <-- +OK 

14:19:54 p3scan[7406]: Closing connection (no more input from server)

14:19:54 p3scan[7406]: Session done (Clean Exit). Mails: 1 Bytes: 4207

14:19:54 p3scan[7406]: do_sigterm_proxy, signal -1

14:19:54 p3scan[7406]: Uninit context

14:19:54 p3scan[7406]: context_uninit done, exiting now

14:19:54 p3scan[7294]: waitpid: child 7406 died with status 0, numprocs is now 0

14:19:54 p3scan[7294]: Erasing /var/spool/p3scan/children/7406/ contents

14:19:54 p3scan[7294]: Removing directory /var/spool/p3scan/children/7406/
```

I'm not using the deMIMEing function. What happens if you turn that off in the config file?

----------

## magowiz

 *sybille wrote:*   

> Well, it's working for me:
> 
> ```
> 14:19:54 p3scan[7406]: <-- +OK 4282 octets
> 
> ...

 

I turned off demime as suggested and now it works!

----------

## sybille

Great!   :Cool: 

----------

