Luc, > > To verify that it works, the following egrep on the log level 5 log could > > reveal relevant entries: > > egrep 'Fingerprint collect: |OS_fingerprint: |suppressed for mail from > > Windows|P0F' \ /var/log/amavisd-debug.log
> Unfortunately it does not seems to work. When should such a message > appear? Only if a mail is over treshold? Preconditions are that $os_fingerprint_method is configured, that p0f-analyzer.pl is running, and that amavisd is receiving client IP address from MTA, which in the Postfix case means the XFORWARD must be enabled in the Postfix service feeding mail to amavisd, e.g. -o smtp_send_xforward_command=yes (or -o lmtp_send_xforward_command=yes if using LMTP). If p0f-analyzer.pl sees amavisd requests from some other IP address not 127.0.0.1, you need to configure its list of allowed IP addresses @inet_acl (see its code). In some cases the IP address could be that of an ethernet interface instead of an address of a loopback interface, so you may need to add your ethernet IP address to the list, otherwise p0f-analyzer.pl would just be ignoring such requests. Use tcptump (or ethereal) to make sure, monitor UDP packets to port 2345 (or whatever port you have specified on the p0f-analyzer.pl command line and in $os_fingerprint_method). If these preconditions are met, you would see at log level 4 messages like: "Fingerprint query: ..." and "Fingerprint collect: ...". Next, if SA is being called, you would see a "OS_fingerprint: " at log level 2 just after each spam scan. If any SA rules matched your L_P0F* rules (assuming you have added them to local.cf) on X-Amavis-OS-Fingerprint: header field, you would see names of matching rules in the "SPAM, " log entries at log level 2 (as well as in the main log entry at log level 0 if the [? %#T ||, Tests: \[[%T|,]\]]# is uncommented in the mail log template ($log_templ) ). Finally, the "DSN: FILTER ..., suppressed for mail from Windows" may be seen every once in a while for medium-score spam, if there are no better reasons to suppress spam bounce to windows. For starters, try tcpdump on UDP port 2345 on the correct interface (loopback or ethernet, depending on your OS). Mark ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
