Hello, I've got a Postfix + Amavis setup where inbound mail is scanned with Amavis via milter (amavisd-milter). To this setup I have added OS fingerprinting with p0f, which I have had some problems getting in working order.
While p0f-analyzer uses source IP + port for its OS mapping, I found that in the milter setup, Amavis did not submit the client port when querying p0f-analyzer. The requests from Amavis were logged like this (IP address redacted): new: [a.b.c.150]:53536 params; os; dist; raw_sig added: [a.b.c.150]:53536 link; raw_mtu query from [127.0.0.1]:44766: [a.b.c.150] eJ3T5o4nYsJK response to [127.0.0.1]:44766: [a.b.c.150] eJ3T5o4nYsJK And Amavis with increased log_level logged like this: Jan 26 01:00:06 r01 amavis[18080]: (18080-01) Fingerprint query: [a.b.c.150]:0 eJ3T5o4nYsJK p0f:127.0.0.1:2345 Jan 26 01:00:15 r01 amavis[18080]: (18080-01) Fingerprint collect: max_wait=0.000, [a.b.c.150] eJ3T5o4nYsJK \r\n... => Reading the p0f-analyzer code, my understanding is that it maps OS information to client IP and host, in this case [a.b.c.150]:53536. When Amavis queries p0f-analyzer afterwards, it asks for [a.b.c.150]:0. When performing OS fingerprinting with a "normal" Postfix + Amavis setup, with Amavis listening to a TCP port and Postfix configured with this as a filter, the fingerprinting works fine. In such a setup the client port is successfully submitted to p0f-analyzer. As a workaround I have modified p0f-analyzer to ignore the client port, but I would rather avoid such a hack. At this stage my findings have led me to believe that the problem is that the AM.PDP protocol used with milter does not submit the client port. The protocol documentation (https://amavis.org/README.protocol.txt) mentions only client_address. The Postfix milter documentation (http://www.postfix.org/MILTER_README.html#macros) says that client IP and port are always available. Is it correct that the AM.PDP protocol does not support client port, and is that the reason the OS fingerprinting fails in such a setup? If so, could the protocol be extended to include the client port? Or did I miss some configuration setting I would need for the client port to be included? I will happily provide configurations if necessary, in the meantime these are the versions of software involved: * amavisd-new-2.10.1 (20141025) * amavisd-milter 1.5.0 * p0f 3.09b * p0f-analyzer 1.502 * postfix 3.1.0 PS: I believe this is the same problem mentioned (but not solved) in https://lists.amavis.org/pipermail/amavis-users/2014-May/002925.html Thanks in advance, -- Bjørn
