$os_fingerprint_method and multiple servers

[btb]

On 2014.07.15 08.10, Mark Martinec wrote:
> Ben,
>
>> thanks for this.  if set the following:
>>
>> my $p0f_analyzer_port = '10032';
>> $os_fingerprint_method = "p0f:*:$p0f_analyzer_port";
>>
>> amavis logs this message:
>>
>> Jul 14 15:56:34 mfa amavis[5329]: (05329-04) (!!)TROUBLE in check_mail:
>> os_fingerprint FAILED: Fingerprint bad IP address: ::ffff:10.3.70.5 at
>> (eval 137) line 45, <GEN43> line 40.
>>
>> mail arrives from 10.3.70.5 and 10.3.70.6.
>>
>> if i set:
>>
>> $os_fingerprint_method = "p0f:10.3.70.5:$p0f_analyzer_port";
>>
>> amavis seems to work as expected, and with tshark i see traffic arriving
>> at 10.3.70.5, so i believe the other bits are working properly.
>>
>> i know that ::ffff:10.3.70.5 is an ipv4 mapped ipv6 address, but how can
>> i troubleshoot this further?
>
> Looks like a version of amavisd and its p0f-analyzer.pl older
> than 2.8.1.  In 2.8.1 the protocol between p0f-analyzer.pl and
> amavisd was enhanced to deal with IPv6 addresses, and in 2.9.0
> one bug regarding ipv4 mapped address normalization was fixed.
> I'm not sure if the later affects your case, but the former
> certainly does.

i was using 2.7.1.  shamefully, i was ignorant as to how old that was. 
i've upgraded to 2.9.1, and that issue seems to be resolved.  using 
$os_fingerprint_method = "p0f:*:$p0f_analyzer_port";, i now see queries 
hitting p0f-analyzer on both mail servers.  however, the following is 
now being logged:

(!!)TROUBLE in check_mail: os_fingerprint FAILED: Insecure dependency in 
socket while running with -T switch at /usr/lib/perl/5.18/IO/Socket.pm 
line 80
(!)PRESERVING EVIDENCE in 
/var/lib/amavis/tmp/amavis-20140716T171849-22078-oMP0fbA8

it also appears that this doesn't necessarily happen every time a 
message is processed.  i know that sounds odd, so this may be a 
misperception on my part.

how can i further troubleshoot this?  for reference, the os is ubuntu 
14.04, and perl is 5.18.2-2ubuntu1

-ben