p0f
Christian Rößner
c at roessner-network-solutions.com
Sun Sep 11 10:21:49 CEST 2016
Hi,
short: I do not get p0f working with amavis (I guess)
Details:
I started p0f this way:
p0f -i eth0 -u p0f "not src net x.x.x.x/x and port 25" 2>&1 | p0f-analyzer.pl 50000 &
The proccesses are running:
ps auxc | grep p0f
p0f 18222 0.0 0.1 17512 4620 ? S Sep10 0:09 p0f
root 18223 0.0 0.2 38560 8704 ? S Sep10 0:01 p0f-analyzer.pl
Port is reachable:
lsof -Pni :50000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
p0f-analy 18223 root 3u IPv6 3088475 0t0 UDP [::1]:50000
p0f-analy 18223 root 4u IPv4 3088477 0t0 UDP 127.0.0.1:50000
Amavis has these options set:
$os_fingerprint_method = 'p0f:[::1]:50000';
$allowed_added_header_fields{lc('X-Amavis-OS-Fingerprint')} = 1;
tcpdump show data flow on port 50000.
I tried this in spamassassin local.cf (taken from the RELEASE_NOTES file):
describe __L_P0F_EXISTS A header field X-Amavis-OS-Fingerprint does exist
header __L_P0F_EXISTS exists:X-Amavis-OS-Fingerprint
describe L_P0F_WXP Remote system is truly a Windows XP, not Windows 2000
header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /\AWindows XP(?![^(]*\b2000 SP)/m
score L_P0F_WXP 2.3
describe L_P0F_W Remote system is some Windows variant, except Win. XP
header L_P0F_W X-Amavis-OS-Fingerprint =~ /\AWindows(?! XP)/m
score L_P0F_W 1.3
describe L_P0F_UNKN P0f was unable to determine remote OS type
header L_P0F_UNKN X-Amavis-OS-Fingerprint =~ /\AUNKNOWN/m
score L_P0F_UNKN 0.8
describe L_P0F_Unix Remote system is running Unix, not Linux
header L_P0F_Unix X-Amavis-OS-Fingerprint =~ /\A((Free|Open|Net)BSD|Solaris|HP-UX|Tru64|AIX)/m
score L_P0F_Unix -1.0
describe L_P0F_Linux Remote system is running Linux
header L_P0F_Linux X-Amavis-OS-Fingerprint =~ /\ALinux/m
score L_P0F_Linux -0.1
Problem:
Not one email does have the fingerprint header set. Even my spamassassin report shows that none of the rules were triggered.
Under which circumstances are these headers (as well as the X-Amavis-Penpals header, which is also not seen) visible?
Amavis runs as milter and as content_filter with different policy banks. For incoming mails, the milter is used. No special policy bank. Local users (recipients) are retrieved from LDAP. So the direction is clear. Example:
Sep 11 09:24:19 mx amavis[9551]: (09551-05) Passed CLEAN {AcceptedInternal}, AM.PDP-SOCK LOCAL [91.241.73.156] [91.241.73.156] <return at newsletter.gina-laura.com> -> <*****>, Queue-ID: 3sX2Vn1JDWzGnyF, Message-ID: <re-pPn1ZVQxfgr3twlBuxgwM5Npj4dbGh1p-1UFN5Q4Q-1UCSLXO6-181512CN at newsletter.gina-laura.com>, mail_id: QV2lz02w9LNy, Hits: 2.147, size: 59159, Tests: [BAYES_00=-0.2,DCC_CHECK=1.1,DKIM_SIGNED=-0.001,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VERIFIED=-0.1,HTML_IMAGE_RATIO_02=0.437,HTML_MESSAGE=0.001,MPART_ALT_DIFF_COUNT=1.112,RCVD_IN_DNSWL_NONE=-0.0001,SPF_HELO_PASS=-0.001,SPF_PASS=-0.001], 4447 ms
While I write this, I wonder, why it is AcceptedInternal and LOCAL? Is it because of the AM.PDP-SOCK?
Thanks in advance
Christian
--
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, https://www.roessner-network-solutions.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2449 bytes
Desc: not available
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20160911/8fb34dd5/attachment.bin>
More information about the amavis-users
mailing list