On Mon, 3 Dec 2007 09:10:11 +0100 Bartłomiej Rutkowski <[EMAIL PROTECTED]> wrote:
> On Fri, 30 Nov 2007 14:46:19 +0100 > Mark Martinec <[EMAIL PROTECTED]> wrote: > > > > > Nov 30 12:48:28 scanner00 amavis[55170]: (55170-01) Fingerprint > > > > query: 10.10.3.244 port=1234 195.46.43.224 KgZcfI2cjZsj > > > > > > So what was the IP address reported in a "CONNECT TCP Peer" log > > > entry? Was it 10.10.3.244 or 10.10.3.49? > > > > > > > As you may see, in this case amavisd is trying to ask itself for > > > > p0f service, which is uncorrect, as the connection came from > > > > 10.10.3.49. > > > > Where is your haproxy located? If it is sitting between MTA and a > > group of hosts running amavisd, then amavisd would see an IP address > > of a haproxy. Is haproxy sitting on 10.10.3.244? > > > > The new version of haproxy offers "Full Transparent Proxy": > > it is possible connect to the server with the Client's IP address > > or even any other IP address. This is possible only on Linux 2.4/2.6 > > with the cttproxy patch. This feature also makes it possible to > > transparently handle part of the traffic for a particular server > > without changing any server's address. > > > > Mark > > > > Mark, > > I've seen the info about patch too, but we are using only *BSD > machines at our data center, so this is unusable for me. > > My setup looks like this: > > - MX00-MX01 servers are CARPed and load balanced by haproxy on > external IP, and they pick up mails from world to our clients, make > some checks (pf-spamd and policyd-weight) and forward them below > > - SCANNER00-SCANNNER15 are CARPed and load balanced by haproxy on non > routable IP (10.10.3.x), make scan checks (amavisd, clamav, dspam and > p0f) and forward them below > > -STASIS00-STASIS01 are CARPed and load balanced by haproxy on external > IP to collect our clients mail from their mail apps or webmail, then > send it up, or when receiving mail from up then delivering it to > mailboxes > > Now, this is in build progress, as I removed our custom patch on > amavis that was acting like policies, and added p0f usage here, but > this is description of what I want to achieve. > Haproxy seems to be an issue here, as it is changing clients IP for > any connection to itself, which causes chaos in two places: first at > MX boxes making mail always meet the $mynetwork restriction in > postfix, and secong at SCANNERS making amavisd looses track of > incoming mail. > > I have solved second one by creating policies for every sending host > with dedicated port and assigning different forward rules inside to > get the proper mail route (which is working just as our patch making > him absolutely obsolete) but still the p0f managed the same way > (assigning proper IP addresses to os_fingerprint_method) is not > working for me - not triggering at all. But I will take your clues > and do further testing today. > > And the haproxy - can you (or anybody) propose something better and > working the way it should? > > Regards, > Bartek > It seems that thanks to policy services I have managed to overcome the issues with not fully transparent proxies, and got p0f checks workins (I can see answer from p0f in amavisd log and triggering p0f rules from spamassassin`s local.cf), but I dont get any X-Amavis-Os-Fingerprint headers added - should that be normal behaviour? Regards, Bartek ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
