$ git am /tmp/270.eml
Applying: Patch for p0f plugin
fatal: corrupt patch at line 11
Patch failed at 0001 Patch for p0f plugin
Matt Simerson wrote:
>
> plugins/ident/p0f: added pod sections, added local_ip option
> TcpServer.pm: added remote_port, local_ip, local_port, and local_host to
> $qp->connection, as the p0f plugin relies on it.
>
> ---
> lib/Qpsmtpd/TcpServer.pm | 10 +++++-
> plugins/ident/p0f | 87 ++++++++++++++++++++++++++++++++++++++-------
> 2 files changed, 82 insertions(+), 15 deletions(-)
>
> diff --git a/lib/Qpsmtpd/TcpServer.pm b/lib/Qpsmtpd/TcpServer.pm
> index 3398c3e..f0b2b93 100644
> --- a/lib/Qpsmtpd/TcpServer.pm
> +++ b/lib/Qpsmtpd/TcpServer.pm
> @@ -30,7 +30,7 @@ my $first_0;
> sub start_connection {
> my $self = shift;
>
> - my ($remote_host, $remote_info, $remote_ip);
> + my ($remote_host, $remote_info, $remote_ip, $remote_port, $local_ip,
> $local_port, $local_host);
>
> if ($ENV{TCPREMOTEIP}) {
> # started from tcpserver (or some other superserver which
> @@ -38,6 +38,10 @@ sub start_connection {
> $remote_ip = $ENV{TCPREMOTEIP};
> $remote_host = $ENV{TCPREMOTEHOST} || "[$remote_ip]";
> $remote_info = $ENV{TCPREMOTEINFO} ?
> "$env{tcpremoteinf...@$remote_host" : $remote_host;
> + $remote_port = $ENV{TCPREMOTEPORT};
> + $local_ip = $ENV{TCPLOCALIP};
> + $local_port = $ENV{TCPLOCALPORT};
> + $local_host = $ENV{TCPLOCALHOST};
> } else {
> # Started from inetd or similar.
> # get info on the remote host from the socket.
> @@ -63,6 +67,10 @@ sub start_connection {
> $self->SUPER::connection->start(remote_info => $remote_info,
> remote_ip => $remote_ip,
> remote_host => $remote_host,
> + remote_port => $remote_port,
> + local_ip => $local_ip,
> + local_port => $local_port,
> + local_host => $local_host,
> @_);
> }
>
> diff --git a/plugins/ident/p0f b/plugins/ident/p0f
> index 720adca..bc40906 100644
> --- a/plugins/ident/p0f
> +++ b/plugins/ident/p0f
> @@ -1,22 +1,77 @@
> # -*- perl -*-
>
> -=pod
> +=head1 NAME
>
> -An Identification Plugin
> +p0f - An TCP Fingerprinting Identification Plugin
>
> - ./p0f -u qpsmtpd -d -q -Q /tmp/.p0f_socket 'dst port 25' -o /dev/null && \
> - chown qpsmtpd /tmp/.p0f_socket
> +=head1 SYNOPSIS
>
> -and add
> +Use TCP fingerprint info (remote computer OS, network distance, etc) to
> +implement more sophisticated anti-spam policies.
> +
> +=head1 DESCRIPTION
> +
> +This p0f module inserts a 'p0f' note that other qpsmtpd plugins can inspect.
> +It includes the following information about the TCP fingerprint (link,
> +detail, distance, uptime, genre). Here's an example connection note:
> +
> + genre => FreeBSD
> + detail => 6.x (1)
> + uptime => 1390
> + link => ethernet/modem
> + distance => 17
> +
> +Which was parsed from this p0f fingerprint:
> +
> + 24.18.227.2:39435 - FreeBSD 6.x (1) (up: 1390 hrs)
> + -> 208.75.177.101:25 (distance 17, link: ethernet/modem)
> +
> +=head1 MOTIVATION
> +
> +This p0f plugin provides a way to make sophisticated policies for email
> +messages. For example, the vast majority of email connections to my server
> +from Windows computers are spam (>99%). But, I have a few clients that use
> +Exchange servers so I can't just block email from all Windows computers.
> +
> +Same goes for greylisting. Finance companies (AmEx, BoA, etc) just love to
> +send notices that they won't queue and retry. Either they deliver at that
> +instant or never. When I enable greylisting, I lose valid messages. Grrr.
> +
> +So, while I'm not willing to use greylisting, and I'm not willing to block
> +connections from Windows computers, I am quite willing to greylist all email
> +from Windows computers.
> +
> +=head1 CONFIGURATION
> +
> +Create a startup script for PF that creates a communication socket when your
> +server starts up.
> +
> + p0f -u qpsmtpd -d -q -Q /tmp/.p0f_socket 'dst port 25' -o /dev/null
> + chown qpsmtpd /tmp/.p0f_socket
> +
> +add an entry to config/plugins to enable p0f:
>
> ident/p0f /tmp/.p0f_socket
>
> -to config/plugins
> +=head2 local_ip
> +
> +Use the local_ip option to override the IP address of your mail server. This
> +is useful if your mail server has a private IP because it is running behind
> +a firewall. For example, my mail server has the IP 127.0.0.6, but the world
> +knows my mail server as 208.75.177.101.
> +
> +Example config/plugins entry with local_ip override:
>
> -it puts things into the 'p0f' connection notes so other plugins can do
> -things based on source OS.
> + ident/p0f /tmp/.p0f_socket local_ip 208.75.177.101
>
> -All code heavily based upon the p0fq.pl included with the p0f distribution.
> +=head1 ACKNOWLEDGEMENTS
> +
> +Heavily based upon the p0fq.pl included with the p0f distribution.
> +
> +=head1 AUTHORS
> +
> + Matt Simerson <msimer...@cpan.org> - 5/1/2010
> + previous unnamed author
>
> =cut
>
> @@ -26,23 +81,27 @@ use Net::IP;
> my $QUERY_MAGIC = 0x0defaced;
>
> sub register {
> - my ($self, $qp, $p0f_socket) = @_;
> + my ($self, $qp, $p0f_socket, @args) = @_;
>
> + my %args = @args;
> $p0f_socket =~ /(.*)/; # untaint
> $self->{_args}->{p0f_socket} = $1;
> + foreach ( keys %args ) {
> + $self->{_args}->{$_} = $args{$_};
> + };
> }
>
> sub hook_connect {
> my($self, $qp) = @_;
>
> my $p0f_socket = $self->{_args}->{p0f_socket};
> - my $srcport =
> - my $destport = $self->qp->connection->local_port;
> + my $local_ip = $self->{_args}{local_ip} ||
> $self->qp->connection->local_ip;
>
> - my $src = new Net::IP ($self->qp->connection->remote_ip)
> + my $src = new Net::IP ($self->qp->connection->remote_ip)
> or $self->log(LOGERROR, "p0f: ".Net::IP::Error()), return (DECLINED);
> - my $dst = new Net::IP ($self->qp->connection->local_ip)
> + my $dst = new Net::IP ($local_ip)
> or $self->log(LOGERROR, "p0f: ".NET::IP::Error()), return (DECLINED);
> +
> my $query = pack("L L L N N S S",
> $QUERY_MAGIC,
> 1,
> --
> 1.7.0.6
>
>
