Outbound failures due to SpamHaus dbl open resolver error

Synchro · August 27, 2022, 9:08am

All of a sudden, outbound mail for all users across all domains is failing with errors like this:

Service unavailable; Sender address [[user@example.com]
(mailto:user@example.com)] blocked using [dbl.spamhaus.org](http://dbl.spamhaus.org); 
Error: open resolver; https://www.spamhaus.org/returnc/pub/172.71.125.38

That IP address (and others that are reported in similar errors) belongs to CloudFlare, which I’m not aware of using at all. It’s not the IP of my mail server, nor its DNS server (I’m not using MIAB as my DNS server, and the mail server itself is using my hosting provider’s DNS (Scaleway)), nor the client’s IP. When I visit the SpamHaus info pages for any of the domains or IPs, it reports that there are no problems, nor do they appear on any blacklists that I can find.

Curiously, this only seems to be applied to external mail clients. Webmail on the same server works fine.

I updated all packages, re-ran the MIAB installer and rebooted, but nothing changed.

Anyone have any bright ideas what the problem might be and how to solve it?

Synchro · August 27, 2022, 9:37am

Unsurprisingly, disabling the spamhaus dbl check in postfix stops the problem happening, however, I’d much prefer to fix the cause than the symptom!

KiekerJan · August 27, 2022, 10:48am

Did you read the link (DNSBL Error Code - Open/public resolver - The Spamhaus Project)? It seems like the recipient’s ip is somehow on a blocklist. Is mail only to this specific recipient blocked? Or can your users not send mail to any recipient?

openletter · August 27, 2022, 11:28am

I did one very basic test of Cloudflare’s new mail service when it was in beta, and it seems to be more like a proxy. I wondered if users of the Cloudflare service are experiencing issues and these search results in the Cloudflare forums may be informative:

https://community.cloudflare.com/search?q=spamhaus

Synchro · August 30, 2022, 10:30am

Yes, I did read it. It was affecting all recipients on all domains.

I’ve noticed today that the zen.spamhaus.org check for inbound mail is also failing for a very similar reason which looks like it has elements in common with this topic. For example:

Aug 30 09:25:10 mail postfix/smtpd[12160]: NOQUEUE: reject: RCPT from mail-wr1-f46.google.com[209.85.221.46]: 554 5.7.1 Service
unavailable; Client host [209.85.221.46] blocked using zen.spamhaus.org; Error: open resolver; https://www.spamhaus.org/returnc/
pub/172.71.129.38; from=<user@gmail.com> to=<user@example.com> proto=ESMTP helo=<mail-wr1-f46.google.com>

That failing IP is gmail! If I remove reject_rbl_client zen.spamhaus.org from my main.cf, it works again. Is spamhaus becoming especially unreliable recently?

openletter · August 30, 2022, 12:29pm

The only spam I get in my inbox comes from Gmail and Microsoft, and it is always the very worst spam with malware links, .doc attachments, etc. If Spamhaus is blocking Gmail, then my opinion is they are doing their job.