Milter-greylist

Hi,

I'm not sure how to go through the configuration of p0f in milter-greylist.

I've searched the wiki and the web and couldn't find anything related to this.

I've compiled milter-greylist with p0f support and I have installed the p0f
software, but I don't know at this point how milter-greylist communicates with
the p0f software (or if it even needs it - I guess it does).

I'm running the p0f software and it is seeing the OS of connecting machines,
but I'm hoping there's some help somewhere which tells me how mgl uses this
and whether there's some example ACL's I could base rules on in greylist.conf?

Any help here is appreciated. Thanks.

Michael.

"Michael Mansour" <mic-Su61qOI1guu6c6uEtOJ/EA@...> writes:

> I'm running the p0f software and it is seeing the OS of connecting machines,
> but I'm hoping there's some help somewhere which tells me how mgl uses this
> and whether there's some example ACL's I could base rules on in
> greylist.conf?

p0fsock "/var/run/p0frun/sock"

racl greylist p0f "Windows.*"   delay 90m autowhite 1d msg "Please come again later; mail from MS Windows based mailservers smells too much like spam"



Enrico

Michael Mansour <mic@...> wrote:

> I've compiled milter-greylist with p0f support and I have installed the p0f
> software, but I don't know at this point how milter-greylist communicates with
> the p0f software (or if it even needs it - I guess it does).

I have this in greylist.conf:
p0fsock "/var/run/p0f"

> I'm running the p0f software and it is seeing the OS of connecting machines,
> but I'm hoping there's some help somewhere which tells me how mgl uses this
> and whether there's some example ACL's I could base rules on in greylist.conf?

I use it with the stat statement, to log the remote OS. This is the %Fx
substitution string. You can also build ACL like this:

racl greylist p0f /Windows/ delay 12h

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Michael Mansour wrote:
>> I'm running the p0f software and it is seeing the OS of
>> connecting machines, but I'm hoping there's some help somewhere
>> which tells me how mgl uses this and whether there's some example
>> ACL's I could base rules on in greylist.conf?

Enrico Scholz responded:
> p0fsock "/var/run/p0frun/sock"
> 
> racl greylist p0f "Windows.*"   delay 90m autowhite 1d msg "Please
> come again later; mail from MS Windows based mailservers smells too
> much like spam"

I don't recommend that as it will block lots of legitimate MS Exchange
servers.  This is in my config (feel free to change the delay time):

# safe Windows hosts
racl whitelist p0f "Windows 2003"       addheader "X-Greylist-OS: %Fx"
racl whitelist p0f "Windows 2008"       addheader "X-Greylist-OS: %Fx"
racl whitelist p0f "Windows 2000 SP4"   addheader "X-Greylist-OS: %Fx"
racl greylist  p0f "Windows" \
                delay 20m autowhite 4d  addheader "X-Greylist-OS: %Fx"

That added header is picked up by SpamAssassin with this rule in local.cf:

header   KHOP_WIN_GREYED X-Greylist-OS =~ /Windows (?:XP|2000(?!
SP4)|Vista)/
describe KHOP_WIN_GREYED Sending server is a Windows desktop OS
score    KHOP_WIN_GREYED 0.2 0.2 0.5 0.5


Because I have whitelist lines, the whole collection is near the
bottom of the file.  Windows 2000 SP4 creates some false negatives,
but that's the direction I'd prefer to lean towards.  I don't think
I've had anything hit "Windows 2008" (or anything called "Vista") yet,
but I haven't been too attentive at looking for it either.

For anybody interested in the numbers, here's a quick look at my logs:

# zgrep -ho '(Windows .*->' greylist.log* |sed 's/^.//;s/)[^)]*$//'
|sort |uniq -c |sort -n

      1 Windows 95b
      1 Windows 98 (8)
      1 Windows 98 (low TTL) (2)
      1 Windows SP3
      1 Windows XP, 2000 SP2+
      4 Windows XP/2000 while downloading (leak!)
     14 Windows 98 (9)
     16 Windows 98 (15)
     20 Windows 98 (4)
     20 Windows 98 (no sack)
     23 Windows 98 (1)
     29 Windows 98 (6)
     32 Windows 2003 (2)
     42 Windows 98 (10)
     47 Windows XP SP1+, 2000 SP4 (3)
    103 Windows XP/2000 (RFC1323+, w, tstamp+)
    171 Windows XP SP1+, 2000 SP3 (2)
    233 Windows 2003 (1)
    259 Windows XP/2000 (RFC1323+, w, tstamp-)
    391 Windows XP/2000 (RFC1323+, w+, tstamp+)
    552 Windows 2000 SP4, XP SP1+ (2)
    837 Windows XP/2000
   1040 Windows XP SP1+, 2000 SP3
   1417 Windows XP/2000 (RFC1323+, w+, tstamp-)
   7193 Windows 2000 SP2+, XP SP1+ (seldom 98)
  26492 Windows 2000 SP4, XP SP1+

I added your info to the wiki:

http://milter-greylist.wikidot.com/using-p0f

Bill Levering
idbill@...
KFP: 0C38 4D7E 5B50 94FE 992D  406D 6C81 DE33 5459 A1AC

On Mar 16, 2010, at 11:00 AM, Adam Katz wrote:

> Michael Mansour wrote:
>>> I'm running the p0f software and it is seeing the OS of
>>> connecting machines, but I'm hoping there's some help somewhere
>>> which tells me how mgl uses this and whether there's some example
>>> ACL's I could base rules on in greylist.conf?
>
> Enrico Scholz responded:
>> p0fsock "/var/run/p0frun/sock"
>>
>> racl greylist p0f "Windows.*"   delay 90m autowhite 1d msg "Please
>> come again later; mail from MS Windows based mailservers smells too
>> much like spam"
>
> I don't recommend that as it will block lots of legitimate MS Exchange
> servers.  This is in my config (feel free to change the delay time):
>
> # safe Windows hosts
> racl whitelist p0f "Windows 2003"       addheader "X-Greylist-OS: %Fx"
> racl whitelist p0f "Windows 2008"       addheader "X-Greylist-OS: %Fx"
> racl whitelist p0f "Windows 2000 SP4"   addheader "X-Greylist-OS: %Fx"
> racl greylist  p0f "Windows" \
>                delay 20m autowhite 4d  addheader "X-Greylist-OS: %Fx"
>
> That added header is picked up by SpamAssassin with this rule in  
> local.cf:
>
> header   KHOP_WIN_GREYED X-Greylist-OS =~ /Windows (?:XP|2000(?!
> SP4)|Vista)/
> describe KHOP_WIN_GREYED Sending server is a Windows desktop OS
> score    KHOP_WIN_GREYED 0.2 0.2 0.5 0.5
>
>
> Because I have whitelist lines, the whole collection is near the
> bottom of the file.  Windows 2000 SP4 creates some false negatives,
> but that's the direction I'd prefer to lean towards.  I don't think
> I've had anything hit "Windows 2008" (or anything called "Vista") yet,
> but I haven't been too attentive at looking for it either.
>
> For anybody interested in the numbers, here's a quick look at my logs:
>
> # zgrep -ho '(Windows .*->' greylist.log* |sed 's/^.//;s/)[^)]*$//'
> |sort |uniq -c |sort -n
>
>      1 Windows 95b
>      1 Windows 98 (8)
>      1 Windows 98 (low TTL) (2)
>      1 Windows SP3
>      1 Windows XP, 2000 SP2+
>      4 Windows XP/2000 while downloading (leak!)
>     14 Windows 98 (9)
>     16 Windows 98 (15)
>     20 Windows 98 (4)
>     20 Windows 98 (no sack)
>     23 Windows 98 (1)
>     29 Windows 98 (6)
>     32 Windows 2003 (2)
>     42 Windows 98 (10)
>     47 Windows XP SP1+, 2000 SP4 (3)
>    103 Windows XP/2000 (RFC1323+, w, tstamp+)
>    171 Windows XP SP1+, 2000 SP3 (2)
>    233 Windows 2003 (1)
>    259 Windows XP/2000 (RFC1323+, w, tstamp-)
>    391 Windows XP/2000 (RFC1323+, w+, tstamp+)
>    552 Windows 2000 SP4, XP SP1+ (2)
>    837 Windows XP/2000
>   1040 Windows XP SP1+, 2000 SP3
>   1417 Windows XP/2000 (RFC1323+, w+, tstamp-)
>   7193 Windows 2000 SP2+, XP SP1+ (seldom 98)
>  26492 Windows 2000 SP4, XP SP1+
>
>
> ------------------------------------
>
> Yahoo! Groups Links
>
>
>

On Tue, Mar 16, 2010 at 7:00 PM, Adam Katz <yegsa-yahoo@...> wrote:
> I don't recommend that as it will block lots of legitimate MS Exchange
> servers.  This is in my config (feel free to change the delay time):

I was just about to ask you to add this to the wiki but you read my mind:

http://milter-greylist.wikidot.com/using-p0f

:-)

-- 
/peter

On Tue, Mar 16, 2010 at 7:07 PM, Bill Levering <idbill@...> wrote:
> I added your info to the wiki:
>
> http://milter-greylist.wikidot.com/using-p0f
>
> Bill Levering
> idbill@...
> KFP: 0C38 4D7E 5B50 94FE 992D  406D 6C81 DE33 5459 A1AC

Ok, so I thank you then. :-)

-- 
/peter