Difference between revisions of "Qpsmtpd:ident/p0f"

From SME Server
Jump to navigationJump to search
(Created page with "<span id="_top">Qpsmtpd#Plugins</span> = NAME = p0f - A TCP Fingerprinting Identification Plugin = SYNOPSIS = Use TCP fingerprint info (remote c...")
 
(No difference)

Latest revision as of 14:14, 8 April 2019

Qpsmtpd#Plugins

NAME

p0f - A TCP Fingerprinting Identification Plugin

SYNOPSIS

Use TCP fingerprint info (remote computer OS, network distance, etc) to implement more sophisticated anti-spam policies.

DESCRIPTION

This p0f module inserts a p0f connection note with information deduced from the TCP fingerprint. The note typically includes at least the link, detail, distance, uptime, genre. Here's a p0f v2 example:

 genre    => FreeBSD
 detail   => 6.x (1)
 uptime   => 1390
 link     => ethernet/modem
 distance => 17

Which was parsed from this p0f fingerprint:

  24.18.227.2:39435 - FreeBSD 6.x (1) (up: 1390 hrs)
    -> 208.75.177.101:25 (distance 17, link: ethernet/modem)

When using p0f v3, the following additional values may also be available in the p0f connection note:

magic, status, first_seen, last_seen, total_conn, uptime_min, up_mod_days, last_nat, last_chg, distance, bad_sw, os_match_q, os_name, os_flavor, http_name, http_flavor, link_type, and language.

MOTIVATION

This p0f plugin provides a way to make sophisticated policies for email messages. For example, the vast majority of email connections to my server from Windows computers are spam (>99%). But, I have clients with Exchange servers so I can't block email from all Windows computers.

Same goes for greylisting. Finance companies (AmEx, BoA, etc) send notices that they don't queue and retry. They deliver immediately or never. Enabling greylisting means maintaining manual whitelists or losing valid messages.

While I'm not willing to use greylisting for every connection, and I'm not willing to block connections from Windows computers, I am willing to greylist all email from Windows computers.

CONFIGURATION

Configuration consists of two steps: starting p0f and configuring this plugin.

start p0f

Create a startup script for p0f that creates a communication socket when your server starts up.

p0f v2 example:

 p0f -u qpsmtpd -d -q -Q /tmp/.p0f_socket2 'dst port 25' -o /dev/null
 chown qpsmtpd /tmp/.p0f_socket2

p0f v3 example:

 p0f -u qpsmtpd -d -s /tmp/.p0f_socket3 'dst port 25'
 chown qpsmtpd /tmp/.p0f_socket3

configure p0f plugin

add an entry to config/plugins to enable p0f:

 ident/p0f /tmp/.p0f_socket3

It's even possible to run both versions of p0f simultaneously:

 ident/p0f:2 /tmp/.p0f_socket2 version 2
 ident/p0f:3 /tmp/.p0f_socket3

local_ip

Use local_ip to override the IP address of your mail server. This is useful if your mail server runs on a private IP behind a firewall. My mail server has the IP 127.0.0.6, but the world knows my mail server as 208.75.177.101.

Example config/plugins entry with local_ip override:

  ident/p0f /tmp/.p0f_socket local_ip 208.75.177.101

version

The version settings specifies the version of p0f you are running. This plugin supports p0f versions 2 and 3. If version is not defined, version 3 is assumed.

Example entry specifying p0f version 2

  ident/p0f /tmp/.p0f_socket version 2

smite_os

Assign -1 karma to senders whose OS match the regex pattern supplied. I only recommend using with this p0f 3, as it's OS database is far more reliable than p0f v2.

Example entry:

  ident/p0f /tmp/.p0f_socket smite_os windows

add_headers <true|false>

Add message headers with p0f data

  ident/p0f [ add_headers (true|false) ]

Example entry disabling header addition

  ident/p0f /tmp/.p0f_socket add_headers false

Default: true

CONFIGURATION FILES

p0f_blocked_operating_systems

If populated, systems that match the phrases and regular expressions in this list will be rejected.

Regular expressions are case-insensitive.

Example entries:

Windows XP /windows/

Default: none (p0f rejections disabled)

Environment requirements

p0f v3 requires only the remote IP.

p0f v2 requires four pieces of information to look up the p0f fingerprint: local_ip, local_port, remote_ip, and remote_port. TcpServer.pm has been has been updated to provide that information when running under djb's tcpserver. The forkserver and prefork models will likely require some additional changes to make sure these fields are populated.

ACKNOWLEDGEMENTS

Version 2 code heavily based upon the p0fq.pl included with the p0f distribution.

AUTHORS

2004 - Robert Spier ( original author )

2010 - Matt Simerson - added local_ip option

2012 - Matt Simerson - refactored, added v3 support