AM.PDP protocol not submitting client port?
Bjørn Ruberg
bjorn at ruberg.no
Thu Jan 26 01:19:28 CET 2017
Hello,
I've got a Postfix + Amavis setup where inbound mail is scanned with
Amavis via milter (amavisd-milter). To this setup I have added OS
fingerprinting with p0f, which I have had some problems getting in
working order.
While p0f-analyzer uses source IP + port for its OS mapping, I found
that in the milter setup, Amavis did not submit the client port when
querying p0f-analyzer. The requests from Amavis were logged like this
(IP address redacted):
new: [a.b.c.150]:53536 params; os; dist; raw_sig
added: [a.b.c.150]:53536 link; raw_mtu
query from [127.0.0.1]:44766: [a.b.c.150] eJ3T5o4nYsJK
response to [127.0.0.1]:44766: [a.b.c.150] eJ3T5o4nYsJK
And Amavis with increased log_level logged like this:
Jan 26 01:00:06 r01 amavis[18080]: (18080-01) Fingerprint query:
[a.b.c.150]:0 eJ3T5o4nYsJK p0f:127.0.0.1:2345
Jan 26 01:00:15 r01 amavis[18080]: (18080-01) Fingerprint collect:
max_wait=0.000, [a.b.c.150] eJ3T5o4nYsJK \r\n... =>
Reading the p0f-analyzer code, my understanding is that it maps OS
information to client IP and host, in this case [a.b.c.150]:53536. When
Amavis queries p0f-analyzer afterwards, it asks for [a.b.c.150]:0.
When performing OS fingerprinting with a "normal" Postfix + Amavis
setup, with Amavis listening to a TCP port and Postfix configured with
this as a filter, the fingerprinting works fine. In such a setup the
client port is successfully submitted to p0f-analyzer.
As a workaround I have modified p0f-analyzer to ignore the client port,
but I would rather avoid such a hack.
At this stage my findings have led me to believe that the problem is
that the AM.PDP protocol used with milter does not submit the client
port. The protocol documentation
(https://amavis.org/README.protocol.txt) mentions only client_address.
The Postfix milter documentation
(http://www.postfix.org/MILTER_README.html#macros) says that client IP
and port are always available.
Is it correct that the AM.PDP protocol does not support client port, and
is that the reason the OS fingerprinting fails in such a setup? If so,
could the protocol be extended to include the client port? Or did I miss
some configuration setting I would need for the client port to be included?
I will happily provide configurations if necessary, in the meantime
these are the versions of software involved:
* amavisd-new-2.10.1 (20141025)
* amavisd-milter 1.5.0
* p0f 3.09b
* p0f-analyzer 1.502
* postfix 3.1.0
PS: I believe this is the same problem mentioned (but not solved) in
https://lists.amavis.org/pipermail/amavis-users/2014-May/002925.html
Thanks in advance,
--
Bjørn
More information about the amavis-users
mailing list