Re: [AMaViS-user] p0f-analyzer load balancing problem

From: Bartłomiej Rutkowski <brutkowski(at)lerkins.com>
Date: Thu Nov 29 2007 - 03:19:07 EST

On Wed, 28 Nov 2007 15:49:27 +0000
Robert Brooks <robb@webtechnologygroup.co.uk> wrote:

> Bartłomiej Rutkowski wrote:
> > On Tue, 20 Nov 2007 14:45:59 +0100
> > Mark Martinec <Mark.Martinec+amavis@ijs.si> wrote:
> >
> >> Bartek,
> >>
> >>> I am building new mail infrastructure in my company, and I have
> >>> came to place where it seems that os fingerprinting technique
> >>> cannot be used.
> >>>
> >>> This is how the situation looks like: I have couple of smtpd
> >>> servers which are collecting mails from Internet, they are
> >>> working with CARP under one IP and then they are load balanced
> >>> via haproxy. They got the mail, and send it for checks to other
> >>> CARP group of servers with amavis installed. All of them are
> >>> meant to run p0f-analyzer to give other hosts which are doing
> >>> AS&AV checks bit more info, but... amavis can ask only one host
> >>> for information about IP/OS.
> >>>
> >>> The problem is - how to make those
> >>> amavis boxes to ask the proper one, this is, the one who actually
> >>> handled the connection? This is serious issue as it is rendering
> >>> the p0f functionality totally unusable in real life scenario -
> >>> separated and load balanced hosts for receiving, checking and
> >>> delivering mail.
> >> amavisd can send a p0f query to the same IP address the SMTP
> >> connection came from: $os_fingerprint_method = 'p0f:[*]:2345'
> >> Doesn't each MTA have its own IP address on the inside?
> >>
> >> Mark
> >>
> > Well, I set it up as you pointed me to, but then I am getting:
> >
> > Nov 28 17:27:58 scanner00 amavis[91708]: (91708-01) (!!)TROUBLE in
> > check_mail: os_fingerprint FAILED: Bad arg length for
> > Socket::pack_sockaddr_in, length is 0, should be 4
> > at /usr/local/lib/perl5/5.8.8/mach/Socket.pm line 373, <GEN16> line
> > 8. Nov 28 17:27:58 scanner00 amavis[91708]: (91708-01) (!)PRESERVING
> > EVIDENCE in /var/amavis/tmp/amavis-20071128T172758-91708
> >
> > and my setting looks like:
> >
> > $policy_bank{'MX00'} = {
> > forward_method => 'smtp:[10.10.3.9]:10025',
> > $os_fingerprint_method =>'p0f:[*]:1234',
> > };
> >
> > Both amavisd and p0f are latest versions. Any clue what is going on
> > here?
>
> I think that should be * not [*], but I'm willing to be wrong.
>
> Regards,
>
> Rob

Well, in that case it works better, but still not as it should be:

Nov 29 10:17:52 scanner00 amavis[6782]: (06782-03) dynamic destination: p0f:*:1234 -> p0f:[10.10.3.244]:1234

10.10.3.244 is actually ip number of scanner00, so it is trying to ask itself?
Also, I can see now something like that:

Nov 29 10:17:52 scanner00 amavis[6782]: (06782-02) (!)loading policy bank "MX00": unknown field ""
Nov 29 10:17:52 scanner00 amavis[6782]: (06782-02) loaded policy bank "MX00"

while my MX00 policy bank is:

$interface_policy{'10049'} = 'MX00';
$interface_policy{'10024'} = 'MX01';
$policy_bank{'MX00'} = {

  forward_method => 'smtp:[10.10.3.9]:10025',   $os_fingerprint_method =>'p0f:*:1234', };
$policy_bank{'MX01'} = {
  forward_method => 'smtp:[10.10.3.9]:10025',   $os_fingerprint_method => 'p0f:*:1234', };

What is going on here? Am I missing something?

Kind regards,
Bartek

---

SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4

---

AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ Received on Thu Nov 29 03:20:42 2007