1

I received a couple of complaints from customers that got their emails rejected. I haven't changed my config, so this must be an issue with spamhaus.

I'm running Postfix with these settings for spamhaus:

   smtpd_sender_restrictions = [...]
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_reverse_client dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org,

Here are a couple of my logs where customers get blocked:

NOQUEUE: reject: RCPT from mx08-0020e701.pphosted.com[91.207.212.174]: 554 5.7.1 Service unavailable; Unverified Client host [mx08-0020e701.pphosted.com] blocked using dbl.spamhaus.org; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mx07-0020e701.pphosted.com>
NOQUEUE: reject: RCPT from mailout09.t-online.de[194.25.134.84]: 554 5.7.1 Service unavailable; Sender address [[email protected]] blocked using dbl.spamhaus.org; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mailout09.t-online.de>
NOQUEUE: reject: RCPT from mail-fr2deu01on2094.outbound.protection.outlook.com[40.107.135.94]: 554 5.7.1 Service unavailable; Helo command [DEU01-FR2-obe.outbound.protection.outlook.com] blocked using dbl.spamhaus.org; from=<#[email protected]> to=<[email protected]> proto=ESMTP helo=<DEU01-FR2-obe.outbound.protection.outlook.com>

Anybody knows how I can fix this (without exposing my mailserver)?

1
  • 1
    They have acknownledged this, and apparently it has something to do with CIsco OpenDNS.
    – Orphans
    Commented Aug 19, 2022 at 9:07

1 Answer 1

6

Your configuration is dangerously wrong. You must filter the DNS return codes, as instructed.

Not every response from spamhaus indicates a listing, some indicate lookup errors (usually: querying via a shared open DNS server, thus exceeding lookup rates). Your configuration blocks clients on all results, including 127.255.255.0/24 responses.

This configuration fixes the immediate problem by only rejecting on actual results. Depending on the nature of the error, this may mean you are then not blocking anyone:

smtpd_sender_restrictions = [...]
 reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
 reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
 reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99],

This suggested fix only makes you not mistreat the error responses. You additionally have to configure your DNS lookups according to the usage guidelines - to yet again retrieve the intended responses.

To begin with this, on the machine in question, call this command:

dig +short 2.0.0.127.zen.spamhaus.org

And then see what the returned code corresponds to in their public list explaining the codes.

1
  • 2
    Thank you for documentation link. This is particularly useful as I find too many people add Spamhaus to MTA config as more cargo cult than anything: "Blocking at the SMTP level is only suggested if you have a moderately high email volume (more than 200,000 emails per day), low computing resources, or if you do not use additional anti-spam software."
    – Paul
    Commented Aug 19, 2022 at 12:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .