Incoming mail to Plesk server is rejected by Spamhaus BL: Error: open resolver

Symptoms

• All incoming mail to Plesk server is rejected;
• DNSBL protection using Spamhaus is enabled in Plesk:
  
• Plesk server is configured to use an open DNS resolver:

  # cat /etc/resolv.conf
  nameserver 1.1.1.1
  nameserver 8.8.8.8

• 554 5.7.1 Service unavailable status code is returned to the sending SMTP system;
• Sending email clients may receive an NDR bounce message;
• The following lines are logged to the /var/log/maillog file:

  PLESK_INFO: Aug 12 08:19:18 ziprelay postfix/smtpd[20247]: NOQUEUE: reject: RCPT from mail-oln040092073050.outbound.protection.outlook.com[203.0.113.2]: 554 5.7.1 Service unavailable; Client host [203.0.113.2] blocked using sbl.spamhaus.org; Error: open resolver; https://www.spamhaus.org/returnc/pub/2001:db8:f61:a1ff:0:0:0:80; from=<username@hotmail.com> to=<user@example.com> proto=ESMTP helo=<EUR04-HE1-obe.outbound.protection.outlook.com>

  PLESK_INFO: Your message couldn't be delivered because it's suspected of being spam For best practices when sending email, user@example.com Remote Server returned '550 5.7.514 Decision Engine classified the mail item was rejected because of IP Block (from outbound normal IP pools) -> 554 5.7.1 Service unavailable; Client host [203.0.113.2] blocked using zen.spamhaus.org'

Cause

Email messages are rejected due to the fact that Spamhaus stopped supporting public DNS resolvers and Plesk server is configured to use them. For more information on a change in Spamhaus policy, please refer here.

Resolution

There are several ways of solving:

1. Disable DNSBL queries on Plesk server by unchecking the Turn on spam protection based on DNS blackhole lists checkbox at Tools & Settings > Mail Server Settings.
2. Configure Plesk server to use a non-public DNS resolver. To use a private DNS resolver, you would have to:

   1. Set up an on-premise DNS server, or utilize a private DNS resolver service such as Azure DNS Private Resolver.
   2./etc/resolv.conf would then have to be edited to point the server to the new DNS resolver's IP using the format:

   CONFIG_TEXT: nameserver 192.0.2.2

3. Configure Plesk server to use a different DNSBL service that does not forces us to access it via non-public DNS resolvers: dnsbl.info; spamcop.net; spam.abuse.net
4. Switch to using Spamhaus DQS (Data Query Service) as a way to access the DNSBL service. The drawback of this approach is that it requires you to contact Spamhaus to get an access key. More information can be found here.
5. Edit the /etc/postfix/main.cf configuration file as described below to introduce exclusions (specific email addresses or whole domains) to Postfix.
   How to add exclusions to Postfix:

   1. Create the /etc/postfix/rbl_override file:

      # touch /etc/postfix/rbl_override

   2. Edit /etc/postfix/rbl_override file and add domains  - one per line:

      # vi /etc/postfix/rbl_override
      gmail.com OK
      outlook.com OK

   3. Convert the file into a lookup table:

      # postmap /etc/postfix/rbl_override

   4. Alter the Postfix configuration file /etc/postfix/main.cf in regard to the following directive:

      CONFIG_TEXT: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl.spamhaus.org

      It should look like:

      CONFIG_TEXT: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client sbl.spamhaus.org