[milters] Archive

Lists Index Date Thread Search

Article: 1609
From: S y s C o / lz
Date: 2007-06-05 04:28:18 -0400
Subject: milter-p0f error

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Hi,

Using sendmail with milter-greylist & clamav since a few years, the
recent spam increase made us looking for more. So we discovered
snertsoft milters collection.

I installed milter-p0f and libsnert (RedHat EL3) and have a problem. Here's=
 the full log of a call:


Jun  5 10:07:09 sysnux milter-p0f[1744]: 00061 NOQUEUE: filterOpen(90e7b38,=
 'somehost.hotmail.com', [65.xx.xx.xx])
Jun  5 10:07:09 sysnux milter-p0f[1744]: socketOpen(90e7210, 1) s=3D90e8758=
 s.fd=3D2
Jun  5 10:07:09 sysnux milter-p0f[1744]: enter socketClient(90e8758, 60000)=
 s.fd=3D2
Jun  5 10:07:09 sysnux milter-p0f[1744]: exit  socketClient(90e8758, 60000)=
 s.fd=3D2 errno=3D0 rc=3D0
Jun  5 10:07:09 sysnux milter-p0f[1744]: 00061 NOQUEUE: > src 65.xx.xx.xx p=
ort 19023 dst 212.xx.xx.xx port 25
Jun  5 10:07:09 sysnux milter-p0f[1744]: socketHasInput(90e8758, 60000) s.f=
d=3D2 readOffset=3D0 readLength=3D0 rc=3D1
Jun  5 10:07:09 sysnux milter-p0f[1744]: socketClose(90e8758) s.fd=3D2
Jun  5 10:07:09 sysnux milter-p0f[1744]: 00061 NOQUEUE: < 144 bytes
Jun  5 10:07:09 sysnux milter-p0f[1744]: 00061 NOQUEUE: p0f server query er=
ror (1)
Jun  5 10:07:09 sysnux milter-p0f[1744]: 00000 NOQUEUE: filterClose(90e7b38)

Without verbose=3Dall, only the "p0f server query error" is logged. And
the mail has no 'X-milter-p0f-Report' header.


Of course p0f is running and, if I put an "-o /tmp/p0f.out" instead
of "-o /dev/null" I can see the p0f results:

tail -f /tmp/p0f.out
<Tue Jun  5 10:09:31 2007> 123.xx.xx.xx:2610 - Windows 2000 SP4, XP SP1+
  -> 212.xx.xx.xx:25 (distance 15, link: pppoe (DSL))
<Tue Jun  5 10:09:37 2007> 61.xx.xx.xx:61613 - Windows 2000 SP2+, XP SP1+ (=
seldom 98)
  -> 212.xx.xx.xx:25 (distance 18, link: sometimes DSL (4))
<Tue Jun  5 10:09:43 2007> 84.xx.xx.xx:3469 - Windows XP SP1+, 2000 SP4 (3)
  -> 212.xx.xx.xx:25 (distance 12, link: pppoe (DSL))
<Tue Jun  5 10:09:45 2007> 70.xx.xx.xx:50519 - Windows 2000 SP4, XP SP1+
  -> 212.xx.xx.xx:25 (distance 13, link: pppoe (DSL))
<Tue Jun  5 10:09:51 2007> 125.xx.xx.xx:59893 - Windows 2000 SP4, XP SP1+
  -> 212.xx.xx.xx:25 (distance 19, link: pppoe (DSL))

Both sockets exist and meet minimum requirements:
srw-r--r--    1 root     root            0 Jun  5 10:01 /var/run/milter/mil=
ter-p0f.socket=3D
srwxrwxrwx    1 root     root            0 Jun  5 10:01 /var/run/p0f.socket=
=3D

I also tried to use the RHEL3 sendmail user:
run-group=3Dsmmsp
run-user=3Dsmmsp
But no difference with/without.

lsof output:
[root@sysnux mail]# lsof |grep p0f
p0f        4065   root  cwd    DIR        9,0     4096         2 /
p0f        4065   root  rtd    DIR        9,0     4096         2 /
p0f        4065   root  txt    REG        9,0    43320    616209 /usr/sbin/=
p0f
p0f        4065   root  mem    REG        9,0   102480    539678 /lib/ld-2.=
3.2.so
p0f        4065   root  mem    REG        9,0   113124    474826 /usr/lib/l=
ibpcap.so.0.6.2
p0f        4065   root  mem    REG        9,0  1516255    883075 /lib/tls/l=
ibc-2.3.2.so
p0f        4065   root    1w   REG        9,0  2029486    310066 /tmp/p0f.o=
ut
p0f        4065   root    2w   REG        9,0  2029486    310066 /tmp/p0f.o=
ut
p0f        4065   root    3u  unix 0xcfe97100          149904241 /var/run/p=
0f.socket
p0f        4065   root    4u  sock        0,0          149904243 can't iden=
tify protocol
milter-p0  4105   root  txt    REG        9,0  1022411    902158 /usr/local=
/sbin/milter-p0f
milter-p0  4105   root    0u  unix 0xc578f100          149905143 /var/run/m=
ilter/milter-p0f.socket

ps aux:
[root@sysnux mail]# ps aux|grep p0f
root      4065  0.0  0.0  1764  720 ?        S    10:18   0:00 p0f -d -i et=
h1 -o /tmp/p0f.out -q -Q /var/run/p0f.socket dst port 25
root      4105  0.0  0.0 33544 1000 ?        S    10:18   0:00 /usr/local/s=
bin/milter-p0f

I probably just missed a detail, can someone give me a direction
where to look at?

Best regards

--=20
# Lol Zimmerli  //  S y s C o =AE  //  http://www.sysco.ch/
Take care to branch the right way on equality.
            - The Elements of Programming Style (Kernighan & Plaugher)


Lists Index Date Thread Search