- Plesk for Linux
- All incoming mail to Plesk server is rejected;
- DNSBL protection using Spamhaus is enabled in Plesk:
- Plesk server is configured to use an open DNS resolver:
# cat /etc/resolv.conf
- 554 5.7.1 Service unavailable status code is returned to the sending SMTP system;
- Sending email clients may receive an NDR bounce message;
- The following lines are logged to the
PLESK_INFO: Aug 12 08:19:18 ziprelay postfix/smtpd: NOQUEUE: reject: RCPT from mail-oln040092073050.outbound.protection.outlook.com[203.0.113.2]: 554 5.7.1 Service unavailable; Client host [203.0.113.2] blocked using sbl.spamhaus.org; Error: open resolver; https://www.spamhaus.org/returnc/pub/2001:db8:f61:a1ff:0:0:0:80; from=<email@example.com> to=<firstname.lastname@example.org> proto=ESMTP helo=<EUR04-HE1-obe.outbound.protection.outlook.com>
PLESK_INFO: Your message couldn't be delivered because it's suspected of being spam For best practices when sending email, email@example.com Remote Server returned '550 5.7.514 Decision Engine classified the mail item was rejected because of IP Block (from outbound normal IP pools) -> 554 5.7.1 Service unavailable; Client host [203.0.113.2] blocked using zen.spamhaus.org'
Email messages are rejected due to the fact that Spamhaus stopped supporting public DNS resolvers and Plesk server is configured to use them. For more information on a change in Spamhaus policy, please refer here.
There are several ways of solving:
- Disable DNSBL queries on Plesk server by unchecking the Turn on spam protection based on DNS blackhole lists checkbox at Tools & Settings > Mail Server Settings.
- Configure Plesk server to use a non-public DNS resolver. To use a private DNS resolver, you would have to:
1. Set up an on-premise DNS server, or utilize a private DNS resolver service such as Azure DNS Private Resolver.
/etc/resolv.confwould then have to be edited to point the server to the new DNS resolver's IP using the format:
CONFIG_TEXT: nameserver 192.0.2.2
- Configure Plesk server to use a different DNSBL service that does not forces us to access it via non-public DNS resolvers: dnsbl.info; spamcop.net; spam.abuse.net
- Switch to using Spamhaus DQS (Data Query Service) as a way to access the DNSBL service. The drawback of this approach is that it requires you to contact Spamhaus to get an access key. More information can be found here.
- Edit the
/etc/postfix/main.cfconfiguration file as described below to introduce exclusions (specific email addresses or whole domains) to Postfix.How to add exclusions to Postfix:
- Create the
# touch /etc/postfix/rbl_override
/etc/postfix/rbl_overridefile and add domains - one per line:
# vi /etc/postfix/rbl_override
Convert the file into a lookup table:
# postmap /etc/postfix/rbl_override
Alter the Postfix configuration file
/etc/postfix/main.cfin regard to the following directive:
CONFIG_TEXT: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl.spamhaus.org
It should look like:
CONFIG_TEXT: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client sbl.spamhaus.org
- Create the