I have been trying to get p0f-analyzer to successfully insert sender OS inference headers into my email for many years on and (mostly) off for quite some time. I thought I might give it another go now that I'm up to current again finally.
FreeBSD 14.1-RELEASE-p6 #1
p0f-3.09b_1
amavisd-new-2.12.3_6,1
postfix-3.9.1,1
dovecot-2.3.21.1_1
perl5-5.36.3_2
I've taken the necessary steps to give p0f bpf packet visibility inside the jail in a way that seems to be compatible with the various programs that make a mail stack:
On the host:
/etc/devfs.rules
and in the individual jail file in
/etc/jail.conf.d/jail.conf
(note setting <code>enforce_statfs = 1;</code> resulted in a very fast mail loop, not setting it seems to work.
With this config, running
Coolio!
But Amavisd logs:
The relevant /usr/local/etc/amavisd.conf settings are (with local set to check just for experiments, normally set to
It looks like a code problem in the perl script, but usually with Amavisd it is a config issue. Any hints?
FreeBSD 14.1-RELEASE-p6 #1
p0f-3.09b_1
amavisd-new-2.12.3_6,1
postfix-3.9.1,1
dovecot-2.3.21.1_1
perl5-5.36.3_2
I've taken the necessary steps to give p0f bpf packet visibility inside the jail in a way that seems to be compatible with the various programs that make a mail stack:
On the host:
/etc/devfs.rules
Code:
[devfsrules_jail_bpf=7]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path fuse unhide
add path zfs unhide
add path 'bpf*' unhideand in the individual jail file in
/etc/jail.conf.d/jail.conf
Code:
# PERMISSIONS
allow.raw_sockets;
exec.clean;
mount.devfs;
devfs_ruleset = 7;(note setting <code>enforce_statfs = 1;</code> resulted in a very fast mail loop, not setting it seems to work.
With this config, running
# p0f in the jail yields something like
Code:
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---
[+] Loaded 322 signatures from '/usr/local/etc/p0f.fp'.
[+] Intercepting traffic on default interface 'bge0'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.
.-[ 167.235.250.18/39402 -> 10.3.69.130/443 (syn) ]-
|
| client = 167.235.250.18/39402
| os = Linux 2.2.x-3.x
| dist = 25
| params = generic
| raw_sig = 4:39+25:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0
--
.-[ 188.245.228.25/24689 -> 10.3.69.130/443 (syn) ]-
|
| client = 188.245.228.25/24689
| os = Linux 2.2.x-3.x
| dist = 25
| params = generic
| raw_sig = 4:39+25:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0
--Coolio!
But Amavisd logs:
Code:
Jan 22 19:45:52 amavis[90286]: (90286-02) (!!)TROUBLE in check_mail: os_fingerprint FAILED: Bad p0f method syntax: 1 at (eval 192) line 36, <GEN23> line 23.
Jan 22 19:45:52 postfix/smtp[29451]: 34F9C1A31E6: to=<me@myaddress>, relay=127.0.0.1[127.0.0.1]:10024, delay=347, delays=347/0.03/0/0.78, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=90286-02, os_fingerprint FAILED: Bad p0f method syntax: 1 at (eval 192) line 36, <GEN23> line 23. (in reply to end of DATA command))
Jan 22 19:45:52 postfix/smtp[29451]: 34F9C1A31E6: to=<me@gmail_address>, relay=127.0.0.1[127.0.0.1]:10024, delay=347, delays=347/0.03/0/0.78, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=90286-02, os_fingerprint FAILED: Bad p0f method syntax: 1 at (eval 192) line 36, <GEN23> line 23. (in reply to end of DATA command))The relevant /usr/local/etc/amavisd.conf settings are (with local set to check just for experiments, normally set to
undef):
Code:
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
originating => 1, # is true in MYNETS by default, but let's make it explicit
os_fingerprint_method => 1, # don't query p0f for internal clients
};
....
$os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.plIt looks like a code problem in the perl script, but usually with Amavisd it is a config issue. Any hints?