Rick, > If I'm reading the docs correctly, it would not be of any use to me > since spamd runs on its on separate server and p0f only supports local > sockets. Correct or is there a way I could use it ?
Not so. - p0f and p0f-analyzer.pl need to be running on your MX host, - spamd with a plugin (or amavisd-new with its own client code to query p0f-analyzer.pl) can be running on another host. The communication between the p0f-analyzer.pl daemon and the client code is via UDP, very quick. Daryl C. W. O'Shea, > BTW... has anyone ever got the -Q option to have p0f itself listen on a > socket to work, instead of using their own wrapper? The core problem is that p0f needs the full TCP session specification in a query: client and server IP address, as well as client and server TCP port number. Most of these is know or can be guessed, except for the client TCP port number. There have been requests to let Postfix provide this information to a policy daemon or via XFORWARD protocol extension, but the change has deep consequence (extensibility path - why this and not that info), so it has not yet been implemented. Lack of source TCP port number information is the sole reason for existance of p0f-analyzer.pl: it can supply the information without knowing the client-side TCP port number, based on assumption that in recent past only one or few hosts have been connecting from the given IP address. Mark
