Applicable to:
- Plesk for Linux
Symptoms
-
DNSBL protection using Spamhaus is enabled in Plesk:
-
All incoming mail to Plesk server is rejected;
-
The server is in the Hetzner network and uses Hetzner DNS resolvers (starting February 19, 2025), OR any other server using an open resolver.
-
Plesk server is configured to use an open DNS resolver:
# cat /etc/resolv.conf
nameserver 1.1.1.1
nameserver 8.8.8.8 -
554 5.7.1 Service unavailable
status code is returned to the sending SMTP system; -
Sending email clients may receive an NDR bounce message;
-
The following lines are logged to the
/var/log/maillog
file:Aug 12 08:19:18 ziprelay postfix/smtpd[20247]: NOQUEUE: reject: RCPT from mail-oln040092073050.outbound.protection.outlook.com[203.0.113.2]: 554 5.7.1 Service unavailable; Client host [203.0.113.2] blocked using sbl.spamhaus.org; Error: open resolver; https://www.spamhaus.org/returnc/pub/2001:db8:f61:a1ff:0:0:0:80; from=username@hotmail.com to=user@example.com proto=ESMTP helo=<EUR04-HE1-obe.outbound.protection.outlook.com>
Your message couldn't be delivered because it's suspected of being spam For best practices when sending email, user@example.com Remote Server returned '550 5.7.514 Decision Engine classified the mail item was rejected because of IP Block (from outbound normal IP pools) -> 554 5.7.1 Service unavailable; Client host [203.0.113.2] blocked using zen.spamhaus.org'
Cause
Email messages are rejected due to the fact that Spamhaus stopped supporting public DNS resolvers and Plesk server is configured to use them. For more information on a change in Spamhaus policy, please refer to Spamhaus explanation here.
If the server is using Spamhaus DNS resolvers on or after February 19, 2025, they are also affected.
Resolution
Current Epic proposal: [PPP-67660] Spamhaus Dependency Removal for Enhanced Email Reliability - Jira
There are several ways of solving:
-
Disable DNSBL queries on Plesk server by unchecking the Turn on spam protection based on DNS blackhole lists checkbox at Tools & Settings > Mail Server Settings.
-
Configure Plesk server to use a non-public DNS resolver. To use a private DNS resolver, you would have to:
1. Set up an on-premise DNS server, or utilize a private DNS resolver service such as Azure DNS Private Resolver.
2./etc/resolv.conf
would then have to be edited to point the server to the new DNS resolver's IP using the format:nameserver 192.0.2.2
-
Configure Plesk server to use a different DNSBL service that does not forces us to access it via non-public DNS resolvers:
dnsbl.info
;spamcop.net
;spam.abuse.net
-
Switch to using Spamhaus DQS (Data Query Service) as a way to access the DNSBL service. The drawback of this approach is that it requires you to contact Spamhaus to get an access key. More information can be found here.
-
Edit the
/etc/postfix/main.cf
configuration file as described below to introduce exclusions (specific email addresses or whole domains) to Postfix.
-
Create the
/etc/postfix/rbl_override
file:# touch /etc/postfix/rbl_override
-
Edit
/etc/postfix/rbl_override
file and add domains - one per line:# vi /etc/postfix/rbl_override
gmail.com OK
outlook.com OK -
Convert the file into a lookup table:
# postmap /etc/postfix/rbl_override
-
Alter the Postfix configuration file
/etc/postfix/main.cf
in regard to the following directive:smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl.spamhaus.org
It should look like:
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client sbl.spamhaus.org
Comments
9 comments
cbl.abuseat.org also uses spamhaus.org, see the error message:
after disabling cbl.abuseat.org too, incoming mails are now working
Man, I was looking for the issue since hours. You are a lifesaver! I hope you know that. One thing thats different regarding your answer because I am using the Hetzner DNS Console:
root@plesk ~ # cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search .
Any idea how to fix it using the Hetzner console? I will contact Hetzner anyway and update my comment if I find something.
Update: Hetzner is aware of the problem and is currently trying to figure out how to fix it. I will keep you updated. I would suggest removing the Spamhouse check from the list until Hetzner fixed the error on their side because when using the Hetzner DNS via localhost:53, it's not in our hand to fix it. If you are using 1.1.1.1 or 8.8.8.8 it's your task.
Hetzner told me to change to Spamhaus DQS which I did but I still get a rejection error:
NOQUEUE: reject: RCPT from unlisted.blt.spamhaus.net[199.168.89.101]: 554 5.7.1 Service unavailable; Client host [199.168.89.101] blocked using cbl.abuseat.org; Error: open resolver; https://check.spamhaus.org/returnc/pub/2a01:4f8:0:a104::add:1d/; from=<probe@unlisted.blt.spamhaus.net> to=<info@xxx.de> proto=ESMTP helo=<unlisted.blt.spamhaus.net>
Johannes Gmelin cbl.abuseat.org also uses spamhaus.org; it is advised to remove it too, prefer using the ones recommended on solution 3:
dnsbl.info
;spamcop.net
;spam.abuse.net
Gilson, why you dont publish my comment and advise him after few days, the same what i said already??
musti19 I'm checking that; your comment is pending approval and I'm checking how to approve it. When your comment is published I'm happy to remove mine.
I'm using Spamhaus within the Plesk Email Security Extension without any problems.
Is it affected too?
I'm not using DNS-Backhole-Lists under the Mail Server Settings.
Voelu28 it is supposed to be affected too if you use Hetzner DNS resolvers, or any other open resolvers in your server (hint: /etc/resolv.conf), because it is implemented internally in the same way as the option in tools & settings. But if email traffic is flowing there is no reason to worry, and your server is not being affected. Feel free to open a ticket in case you want to double check with our team!
Please sign in to leave a comment.