Changes

Jump to navigation Jump to search
5,034 bytes added ,  14:14, 8 April 2019
Created page with "<span id="_top">Qpsmtpd#Plugins</span> = NAME = p0f - A TCP Fingerprinting Identification Plugin = SYNOPSIS = Use TCP fingerprint info (remote c..."
<span id="_top">[[Qpsmtpd#Plugins]]</span>
= [[#___top|NAME]] =

p0f - A TCP Fingerprinting Identification Plugin

= [[#___top|SYNOPSIS]] =

Use TCP fingerprint info (remote computer OS, network distance, etc) to implement more sophisticated anti-spam policies.

= [[#___top|DESCRIPTION]] =

This p0f module inserts a ''p0f'' connection note with information deduced from the TCP fingerprint. The note typically includes at least the link, detail, distance, uptime, genre. Here's a p0f v2 example:

<pre> genre =&gt; FreeBSD
detail =&gt; 6.x (1)
uptime =&gt; 1390
link =&gt; ethernet/modem
distance =&gt; 17</pre>
Which was parsed from this p0f fingerprint:

<pre> 24.18.227.2:39435 - FreeBSD 6.x (1) (up: 1390 hrs)
-&gt; 208.75.177.101:25 (distance 17, link: ethernet/modem)</pre>
When using p0f v3, the following additional values may also be available in the ''p0f'' connection note:

<blockquote>magic, status, first_seen, last_seen, total_conn, uptime_min, up_mod_days, last_nat, last_chg, distance, bad_sw, os_match_q, os_name, os_flavor, http_name, http_flavor, link_type, and language.
</blockquote>
= [[#___top|MOTIVATION]] =

This p0f plugin provides a way to make sophisticated policies for email messages. For example, the vast majority of email connections to my server from Windows computers are spam (&gt;99%). But, I have clients with Exchange servers so I can't block email from all Windows computers.

Same goes for greylisting. Finance companies (AmEx, BoA, etc) send notices that they don't queue and retry. They deliver immediately or never. Enabling greylisting means maintaining manual whitelists or losing valid messages.

While I'm not willing to use greylisting for every connection, and I'm not willing to block connections from Windows computers, I am willing to greylist all email from Windows computers.

= [[#___top|CONFIGURATION]] =

Configuration consists of two steps: starting p0f and configuring this plugin.

== [[#___top|start p0f]] ==

Create a startup script for p0f that creates a communication socket when your server starts up.

p0f v2 example:

<pre> p0f -u qpsmtpd -d -q -Q /tmp/.p0f_socket2 'dst port 25' -o /dev/null
chown qpsmtpd /tmp/.p0f_socket2</pre>
p0f v3 example:

<pre> p0f -u qpsmtpd -d -s /tmp/.p0f_socket3 'dst port 25'
chown qpsmtpd /tmp/.p0f_socket3</pre>
== [[#___top|configure p0f plugin]] ==

add an entry to config/plugins to enable p0f:

<pre> ident/p0f /tmp/.p0f_socket3</pre>
It's even possible to run both versions of p0f simultaneously:

<pre> ident/p0f:2 /tmp/.p0f_socket2 version 2
ident/p0f:3 /tmp/.p0f_socket3</pre>
== [[#___top|local_ip]] ==

Use ''local_ip'' to override the IP address of your mail server. This is useful if your mail server runs on a private IP behind a firewall. My mail server has the IP 127.0.0.6, but the world knows my mail server as 208.75.177.101.

Example config/plugins entry with local_ip override:

<pre> ident/p0f /tmp/.p0f_socket local_ip 208.75.177.101</pre>
== [[#___top|version]] ==

The version settings specifies the version of p0f you are running. This plugin supports p0f versions 2 and 3. If version is not defined, version 3 is assumed.

Example entry specifying p0f version 2

<pre> ident/p0f /tmp/.p0f_socket version 2</pre>
== [[#___top|smite_os]] ==

Assign -1 karma to senders whose OS match the regex pattern supplied. I only recommend using with this p0f 3, as it's OS database is far more reliable than p0f v2.

Example entry:

<pre> ident/p0f /tmp/.p0f_socket smite_os windows</pre>
== [[#___top|add_headers &lt;true|false&gt;]] ==

Add message headers with p0f data

<pre> ident/p0f [ add_headers (true|false) ]</pre>
Example entry disabling header addition

<pre> ident/p0f /tmp/.p0f_socket add_headers false</pre>
Default: true

= [[#___top|CONFIGURATION FILES]] =

== [[#___top|p0f_blocked_operating_systems]] ==

If populated, systems that match the phrases and regular expressions in this list will be rejected.

Regular expressions are case-insensitive.

Example entries:

Windows XP /windows/

Default: none (p0f rejections disabled)

= [[#___top|Environment requirements]] =

p0f v3 requires only the remote IP.

p0f v2 requires four pieces of information to look up the p0f fingerprint: local_ip, local_port, remote_ip, and remote_port. TcpServer.pm has been has been updated to provide that information when running under djb's tcpserver. The forkserver and prefork models will likely require some additional changes to make sure these fields are populated.

= [[#___top|ACKNOWLEDGEMENTS]] =

Version 2 code heavily based upon the p0fq.pl included with the p0f distribution.

= [[#___top|AUTHORS]] =

2004 - Robert Spier ( original author )

2010 - Matt Simerson - added local_ip option

2012 - Matt Simerson - refactored, added v3 support

<!-- Generated Mon Apr 8 09:14:33 EDT 2019 using
perldoc -T -ohtml $plugins/$1 \|pandoc -f html -t mediawiki \|sed '1 i\\n\n\n<span id="_top">[[Qpsmtpd#Plugins]]</span>' \|sed -e 's#</d.>##'
-->
----
[[Category:Qpsmtpd|ident/p0f]]

Navigation menu