[SOLVED] PMG Spam Assassin "KAM_GB_INVALID_FROM" Issues

O

oodissimo

Active Member
Nov 30, 2017
12
1
43
60
Hi,

I am new to PMG, but not mail systems in general. I have PMG setup as a smart relay host for server generated emails. We do not handle inbound email.

I am having an issue where I cannot find why Spam Assassin marks "KAM_GB_INVALID_FROM". When I look at /usr/share/spamassassin-extra/kam_sa-channels_mcgrail_com/KAM.cf I see these checks:

Code: 
#INVALID FROM RULE
header          __KAM_GB_INVALID_FROM_NO_DOTS   From:addr !~ /\./
header          __KAM_GB_INVALID_FROM_NO_AT     From:addr !~ /\@/

meta            KAM_GB_INVALID_FROM     (__KAM_GB_INVALID_FROM_NO_DOTS + __KAM_GB_INVALID_FROM_NO_AT >= 1) && ! ( ALL_TRUSTED || NO_RELAYS || __BOUNCE_CTYPE )
describe        KAM_GB_INVALID_FROM     From Address is invalid
score           KAM_GB_INVALID_FROM     5.0

This is what the mail log has to say about the message:

Code: 
2025-03-31T18:01:08.714655-05:00 courier postfix/smtpd[20429]: connect from mel-gr-srv.kuhkenah.ca[64.185.120.99]
2025-03-31T18:01:08.735308-05:00 courier postfix/smtpd[20429]: B37C7E04DD: client=mel-gr-srv.kuhkenah.ca[64.185.120.99]
2025-03-31T18:01:08.738002-05:00 courier postfix/cleanup[20432]: B37C7E04DD: message-id=<Asterisk-49-417239743-1257-5970@mel-gr-srv>
2025-03-31T18:01:08.740925-05:00 courier postfix/qmgr[17371]: B37C7E04DD: from=<root@mel-gr-srv.kuhkenah.ca>, size=23242, nrcpt=1 (queue active)
2025-03-31T18:01:08.742931-05:00 courier postfix/smtpd[20429]: disconnect from mel-gr-srv.kuhkenah.ca[64.185.120.99] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
2025-03-31T18:01:08.818877-05:00 courier pmg-smtp-filter[19972]: E055367EB1EB4C651B: new mail message-id=<Asterisk-49-417239743-1257-5970@mel-gr-srv>#012
2025-03-31T18:01:11.813030-05:00 courier pmg-smtp-filter[19972]: E055367EB1EB4C651B: SA score=5/5 time=2.967 bayes=undefined autolearn=disabled hits=HEADER_FROM_DIFFERENT_DOMAINS(0.001),KAM_DMARC_STATUS(0.01),KAM_GB_INVALID_FROM(5),KAM_NUMSUBJECT(0.5),SPF_PASS(-0.001),T_SPF_HELO_PERMERROR(0.01)
2025-03-31T18:01:11.865796-05:00 courier pmg-smtp-filter[19972]: E055367EB1EB4C651B: notify <alinden@nom.knet.ca> (rule: Notify Admin Spam (Level 3), C8F89E0579)
2025-03-31T18:01:11.870480-05:00 courier postfix/smtpd[20439]: connect from localhost.localdomain[127.0.0.1]
2025-03-31T18:01:11.871041-05:00 courier postfix/smtpd[20439]: D4A26E057B: client=localhost.localdomain[127.0.0.1], orig_client=mel-gr-srv.kuhkenah.ca[64.185.120.99]
2025-03-31T18:01:11.912228-05:00 courier postfix/cleanup[20432]: D4A26E057B: message-id=<Asterisk-49-417239743-1257-5970@mel-gr-srv>
2025-03-31T18:01:11.913606-05:00 courier postfix/qmgr[17371]: D4A26E057B: from=<root@mel-gr-srv.kuhkenah.ca>, size=23895, nrcpt=1 (queue active)
2025-03-31T18:01:11.913691-05:00 courier postfix/smtpd[20439]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2025-03-31T18:01:11.915010-05:00 courier pmg-smtp-filter[19972]: E055367EB1EB4C651B: accept mail to <alinden@nom.knet.ca> (D4A26E057B) (rule: default-accept)
2025-03-31T18:01:11.916475-05:00 courier pmg-smtp-filter[19972]: E055367EB1EB4C651B: processing time: 3.101 seconds (2.967, 0.026, 0)
2025-03-31T18:01:11.916763-05:00 courier postfix/lmtp[20433]: B37C7E04DD: to=<alinden@nom.knet.ca>, relay=127.0.0.1[127.0.0.1]:10023, delay=3.2, delays=0.01/0.03/0.04/3.1, dsn=2.5.0, status=sent (250 2.5.0 OK (E055367EB1EB4C651B))
2025-03-31T18:01:11.917333-05:00 courier postfix/qmgr[17371]: B37C7E04DD: removed
2025-03-31T18:01:13.518108-05:00 courier postfix/smtp[20441]: D4A26E057B: to=<alinden@nom.knet.ca>, relay=lp-knet-ca.mail.protection.outlook.com[52.101.192.1]:25, delay=1.6, delays=0.04/0.03/0.67/0.91, dsn=2.6.0, status=sent (250 2.6.0 <Asterisk-49-417239743-1257-5970@mel-gr-srv> [InternalId=74637941670248, Hostname=YQBPR0101MB8383.CANPRD01.PROD.OUTLOOK.COM] 34776 bytes in 0.249, 136.351 KB/sec Queued mail for delivery)
2025-03-31T18:01:13.518373-05:00 courier postfix/qmgr[17371]: D4A26E057B: removed

The receivers destination is a M365 Exchange system. In the message headers, I see that the From address is proper.

From: Asterisk PBX <asterisk@mel-gr-srv.kuhkenah.ca>

In other words, the From header contains "dots" and the "at" symbol, yet the rule triggers.

The second part I am uncertain about is, how does Spam Assassin determine what is a trusted source? The sending mail server is not on the subnet that PMG lives on. I have all of the hosts that are allowed to relay through PMG added to "Configuration > Mail Proxy > Networks". Is Spam Assassin configured independent of those settings? I would expect to see the ALL_TRUSTED set for this host.

Thanks,
Adi
 
I created a new "Mail Filter" to force subject mail into quarantine. Looking at the raw message in quarantine, I could see that the message as it arrived in PMG had this From: field: From: Asterisk PBX <asterisk@mel-gr-srv>.

However, once released from quarantine and received at the recipients mail system (M365) the From: field was changed to: From: Asterisk PBX <asterisk@mel-gr-srv.kuhkenah.ca>.

I do not know where the From: gets rewritten, whether it is PMG or M365. It made troubleshooting difficult though as what the end user sees is not the same as to what PMG sees.

The cause of the issue, configuration error on the sending mail system that uses PMG as a smarthost relay.
 
oodissimo said:
However, once released from quarantine and received at the recipients mail system (M365) the From: field was changed to: From: Asterisk PBX <asterisk@mel-gr-srv.kuhkenah.ca>.

I do not know where the From: gets rewritten, whether it is PMG or M365. It made troubleshooting difficult though as what the end user sees is not the same as to what PMG sees.
Click to expand...
that is usually done by the postfix cleanup-daemon:
https://www.postfix.org/cleanup.8.html

glad you found the issue by yourself!
 
You must log in or register to reply here.
Top Bottom