From: Mark M. <Mar...@ij...> - 2009-09-28 15:43:04
|
Olivier, > First I had to modify the line 110 of p0f-analyzer.pl because the > queries submitted by amavisd-new is not of the form expected by > p0f-analyzer: > > p0f-analyzer expects: 203.159.32.1 41175 zzgbIwFRtSm0 > amavisd-new sends: [203.159.32.1]:41175 zzgbIwFRtSm0 > > The regular expression now reads: > > ^\[?(\d+\.\d+\.\d+\.\d+)\]?[:\s]+(.*)$/s > > No p0f receives and answers the requests from amavisd-new. Seems you are using an old version of p0f-analyzer.pl with a newer version of amavisd. Release notes on 2.6.0 say: - updated p0f-analyzer.pl now supports a source port number information in queries while preserving backwards compatibility with previous versions of amavisd-new. Version 2.6.0 of amavisd requires a new version of p0f-analyzer.pl (supplied in the 2.6.0 distribution) if operating system fingerprinting is enabled. A source port number information in a query allows p0f-analyzer.pl to locate a matching entry in its cache faster and also more accurately when multiple connections are present from clients behind NAT using the same IP address. The source port number is made available to a content filter since Postfix version 2.5 (20071004); > But where does the fingerprint information is used by amavis? I set > amavis to log level 5, but I see no mention of the fingerprint. Did you enable it in the amavisd.conf, e.g.: $os_fingerprint_method = 'p0f:127.0.0.1:2345'; Mark |