Server blocking incoming email messages

Discussion in 'Server Operation' started by anark10n, Nov 17, 2021.

Tags:
  1. anark10n

    anark10n Member

    Hey there.
    My server is randomly blocking messages from various sources, sometimes freemail services, and private services at other times, usually with the most comprehensive error message that I receive being:
    Code:
    [email protected]>: host myservername.mydomain.com[IP ADDRESS] said:
        554 5.7.1 Service unavailable; Client host [SENDER IP ADDRESS] blocked using
        zen.spamhaus.org; Error: open resolver;
        https://www.spamhaus.org/returnc/pub/66.185.122.244 (in reply to RCPT TO
        command)
    
    Some times the error spamhaus return code is in the form of an IPv6 address.
    This is the relevant configuration in my main.cf
    Code:
    smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining , permit
    
    I saw that recommended configuration from spamhaus differs in that there's an IP address after the zen.spamhaus.org. Is it safe for me to follow those recommendations, or should I enter them elsewhere?
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    https://www.spamhaus.org/returnc/pub/
    My underestanding is spamhaus is commercial service, so it has to be paid for in some use cases. Maybe yours is one of those? If you do not want to use spamhaus, use some other e-mail real time blacklist.
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

  4. anark10n

    anark10n Member

    Yes it is the same error, but in that other thread it was due to a blacklisting on Spamhaus, and after resolving that issue, I was able send and receive as per usual for about a day before this new issue cropped up.
    I did make the relevant changes to main.cf as per the Spamhaus recommendations and am now able to receive mail, but I just wanted to know whether it was safe for me to do so?
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What did you change in main.cf? I see one page where they show settings for smtpd_recipient_restrictions or to use postscreen, either of those should be fine. I assume you don't use ispconfig since you post in the non-ispconfig forum topics, but if you do, you would want to make smtpd_recipient_restrictions changes update safe by putting them in a conf-custom file (or setup postscreen instead).
     
  6. anark10n

    anark10n Member

    I am using the ISPConfig, i posted here because it seemed like the error wasn't with ISPConfig but with Postfix.
    This is what the spamhaus entry looked like this before:
    Code:
    smtpd_client_restrictions = ... reject_rbl_client zen.spamhaus.org ...
    
    While the recommended configurations from spamhaus are as follows:
    Code:
    smtpd_recipient_restrictions =
       ...
       reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
       reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99]
       reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99]
       reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99]
       warn_if_reject reject_rbl_client zen.spamhaus.org=127.255.255.[1..255]
       ...
    
    As instructed in this link
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Fair enough. In this case, the settings you changed will be overwritten by ISPConfig in the future if you don't make them in a conf-custom file, whereas non-ISPConfig systems would be fine. So once you get a final resolution, ensure any changes you make will survive updates.
    That is an improvement over the single "reject everything on that list" (and postscreen improves it further using weighted rbls), but it won't solve your problem, which has to do with too many queries to spamhas coming from your dns server(s). Your changes have changed the way the query responses are handled, but not reduced the number of them. You need to setup a DQS account as explained at the bottom of https://www.spamhaus.org/returnc/pub/66.185.122.244.
     

Share This Page