On Fri, 30 Nov 2007 14:46:19 +0100 Mark Martinec <[EMAIL PROTECTED]> wrote:
> > > Nov 30 12:48:28 scanner00 amavis[55170]: (55170-01) Fingerprint > > > query: 10.10.3.244 port=1234 195.46.43.224 KgZcfI2cjZsj > > > > So what was the IP address reported in a "CONNECT TCP Peer" log > > entry? Was it 10.10.3.244 or 10.10.3.49? > > > > > As you may see, in this case amavisd is trying to ask itself for > > > p0f service, which is uncorrect, as the connection came from > > > 10.10.3.49. > > Where is your haproxy located? If it is sitting between MTA and a > group of hosts running amavisd, then amavisd would see an IP address > of a haproxy. Is haproxy sitting on 10.10.3.244? > > The new version of haproxy offers "Full Transparent Proxy": > it is possible connect to the server with the Client's IP address or > even any other IP address. This is possible only on Linux 2.4/2.6 > with the cttproxy patch. This feature also makes it possible to > transparently handle part of the traffic for a particular server > without changing any server's address. > > Mark > Mark, I've seen the info about patch too, but we are using only *BSD machines at our data center, so this is unusable for me. My setup looks like this: - MX00-MX01 servers are CARPed and load balanced by haproxy on external IP, and they pick up mails from world to our clients, make some checks (pf-spamd and policyd-weight) and forward them below - SCANNER00-SCANNNER15 are CARPed and load balanced by haproxy on non routable IP (10.10.3.x), make scan checks (amavisd, clamav, dspam and p0f) and forward them below -STASIS00-STASIS01 are CARPed and load balanced by haproxy on external IP to collect our clients mail from their mail apps or webmail, then send it up, or when receiving mail from up then delivering it to mailboxes Now, this is in build progress, as I removed our custom patch on amavis that was acting like policies, and added p0f usage here, but this is description of what I want to achieve. Haproxy seems to be an issue here, as it is changing clients IP for any connection to itself, which causes chaos in two places: first at MX boxes making mail always meet the $mynetwork restriction in postfix, and secong at SCANNERS making amavisd looses track of incoming mail. I have solved second one by creating policies for every sending host with dedicated port and assigning different forward rules inside to get the proper mail route (which is working just as our patch making him absolutely obsolete) but still the p0f managed the same way (assigning proper IP addresses to os_fingerprint_method) is not working for me - not triggering at all. But I will take your clues and do further testing today. And the haproxy - can you (or anybody) propose something better and working the way it should? Regards, Bartek ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
