Applicable to:
- Plesk for Linux
Symptoms
-
All incoming mail to Plesk server is rejected, while errors that are similar to the following are present in
/var/log/maillog:CONFIG_TEXT: Aug 12 08:19:18 ziprelay postfix/smtpd[20247]: NOQUEUE: reject: RCPT from mail-oln040092073050.outbound.protection.outlook.com[203.0.113.2]: 554 5.7.1 Service unavailable; Client host [203.0.113.2] blocked using sbl.spamhaus.org; Error: open resolver; https://www.spamhaus.org/returnc/pub/2001:db8:f61:a1ff:0:0:0:80; from=username@hotmail.com to=user@example.com proto=ESMTP helo=<EUR04-HE1-obe.outbound.protection.outlook.com>
CONFIG_TEXT: Your message couldn't be delivered because it's suspected of being spam For best practices when sending email, user@example.com Remote Server returned '550 5.7.514 Decision Engine classified the mail item was rejected because of IP Block (from outbound normal IP pools) -> 554 5.7.1 Service unavailable; Client host [203.0.113.2] blocked using zen.spamhaus.org'
-
The virtual server is either in the Hetzner network and uses Hetzner DNS resolvers or it uses any public open resolvers as its DNS resolvers. This can be confirmed by looking into the contents of the
/etc/resolv.conffile:# cat /etc/resolv.conf
nameserver 1.1.1.1
nameserver 8.8.8.8 - A DNSBL hostname that includes the words
spamhausorabuseatis enabled in Plesk at Tools & Settings > Mail Server Settings > Spam protection based on DNS blackhole lists > DNS zones for DNSBL service:
Cause
Email messages are rejected due to the fact that the free public Spamhaus DNS blacklists (and a few other black lists that rely on them) stopped supporting public DNS resolvers and Hetzner network DNS resolvers without additional registration intentionally and your Plesk server is currently configured to use them for such queries.
The email rejection issue itself is caused entirely due to changes that the Spamhaus DNSBL has enforced solely on their end.
Resolution
Current Epic proposal: [PPP-67660] Spamhaus Dependency Removal for Enhanced Email Reliability - Jira
The recommended ways to resolve the issue are the following:
Follow the official recommendation by Spamhaus, which is the following:
To succesfully query Spamhaus via public/open resolvers, there is a FREE service which delivers the intelligence faster and with additional blocklists available to increase catch-rates: Spamhaus Data Query Service. Here are the details of how to make the change:
Sign up for the free Spamhaus Data Query Service. The same usage terms apply.
Make the relevant change to your server configuration. The Spamhaus Technical Documentation site has full configuration details for many mail servers and anti spam solutions.
Spamhaus essentially states that they will allow you to use public or Hetzner DNS resolvers when querying their DNS blackhole lists only after you sign up for their Data Query Service. This limitation is imposed on their end and it is unrelated to Plesk.
If you would like to stop having issues with email delivery caused by Spamhaus changes right away, you should simply stop using their DNS blackhole lists in your mail server settings. This can be achieved by following these steps:
2. Go to Tools & Settings > Mail Server Settings
3. Scroll down to the Spam protection based on DNS blackhole lists section
4. In the DNS zones for DNSBL service field, remove anything that includes spamhaus or abuseat (this DNSBL uses Spamhaus) in its name and leave only the properly working blacklists that your mail server should query when checking incoming emails, for example:
CONFIG_TEXT: bl.0spam.org;b.barracudacentral.org
5. Press Apply
Once this is done, incoming emails will no longer be blocked on your server for no real reason.
More complex solutions that could result in unexpected complications:
Click on a section to expand
To use a private DNS resolver, you would have to:
1. Set up an on-premise DNS server, or utilize a private DNS resolver service such as Azure DNS Private Resolver.
2./etc/resolv.conf would then have to be edited to point the server to the new DNS resolver's IP using the format:
CONFIG_TEXT: nameserver 192.0.2.2
/etc/postfix/main.cf configuration file to introduce exclusionsAdd exclusions (specific email addresses or whole domains) to Postfix by following the steps below:
-
-
Create the
/etc/postfix/rbl_overridefile:# touch /etc/postfix/rbl_override
-
Edit
/etc/postfix/rbl_overridefile and add domains - one per line:# vi /etc/postfix/rbl_override
gmail.com OK
outlook.com OK -
Convert the file into a lookup table:
# postmap /etc/postfix/rbl_override
-
Alter the Postfix configuration file
/etc/postfix/main.cfin regard to the following directive:CONFIG_TEXT: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl.spamhaus.org
It should look like:
CONFIG_TEXT: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client sbl.spamhaus.org
-
Comments
10 comments
cbl.abuseat.org also uses spamhaus.org, see the error message:
after disabling cbl.abuseat.org too, incoming mails are now working
Man, I was looking for the issue since hours. You are a lifesaver! I hope you know that. One thing thats different regarding your answer because I am using the Hetzner DNS Console:
root@plesk ~ # cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search .
Any idea how to fix it using the Hetzner console? I will contact Hetzner anyway and update my comment if I find something.
Update: Hetzner is aware of the problem and is currently trying to figure out how to fix it. I will keep you updated. I would suggest removing the Spamhouse check from the list until Hetzner fixed the error on their side because when using the Hetzner DNS via localhost:53, it's not in our hand to fix it. If you are using 1.1.1.1 or 8.8.8.8 it's your task.
Hetzner told me to change to Spamhaus DQS which I did but I still get a rejection error:
NOQUEUE: reject: RCPT from unlisted.blt.spamhaus.net[199.168.89.101]: 554 5.7.1 Service unavailable; Client host [199.168.89.101] blocked using cbl.abuseat.org; Error: open resolver; https://check.spamhaus.org/returnc/pub/2a01:4f8:0:a104::add:1d/; from=<probe@unlisted.blt.spamhaus.net> to=<info@xxx.de> proto=ESMTP helo=<unlisted.blt.spamhaus.net>
Gilson, why you dont publish my comment and advise him after few days, the same what i said already??
musti19 I'm checking that; your comment is pending approval and I'm checking how to approve it. When your comment is published I'm happy to remove mine.
I'm using Spamhaus within the Plesk Email Security Extension without any problems.
Is it affected too?
I'm not using DNS-Backhole-Lists under the Mail Server Settings.
Voelu28 it is supposed to be affected too if you use Hetzner DNS resolvers, or any other open resolvers in your server (hint: /etc/resolv.conf), because it is implemented internally in the same way as the option in tools & settings. But if email traffic is flowing there is no reason to worry, and your server is not being affected. Feel free to open a ticket in case you want to double check with our team!
The motto here seems to be “never trust free services” - such as spamhaus.
Johannes Gmelin cbl.abuseat.org also uses spamhaus.org; it is advised to remove it too, prefer using the ones recommended on solution 3:
dnsbl.info;spamcop.net;spam.abuse.netPlease sign in to leave a comment.