I use zen.spamhaus.org amongst other RBLs.
It stopped working today, after I switched from ipv4 to ipv6. Not related? Well, it is, actually. Here is what happened:
I would expect a failing RBL server would cause postfix to accept too many messages, i. e. not filtered by spamhaus. But no, it just rejected all incoming message!
The message in the mail.log was simple:
NOQUEUE: reject: RCPT from xxx.xxx.xx[xxx.xxx.xxx.xxx]: 554 5.7.1 Service unavailable; Client host [xxx.xxx.xxx.xxx] blocked using zen.spamhaus.org; Error: open resolver; https://www.spamhaus.org/returnc/pub/xxx.xxx.xxx.xx; from=<xxx@xxx.xx> to=<xxx@xxx.xx> proto=ESMTP helo=<xxx.xxx.xx>
If you do not read this thoroughly, it may seem like a standard rejection message, easy to miss in a large log file. I have marked the two important parts above: "service not available", and "error: open resolver".
More digging revealed the reason for the problem: spamhaus try to limit you to a "fair use" model, which is fair enough. If you are running postfix on a shared server, chances are that you are not eligible for the free tier, because too many requests are coming from the same IP, thus looking like violating fair use.
In my case, I could be sure that is was not the reason, as I own the physical server.
It turns out that a further hurdle on the way to the fair use model is that your IP need to support reverse DNS lookup. Not sure why, but it is what it is.
Having moved to ipv6, the DNS server did not respond with any names when given the new IP address. A forward lookup did work though. Weird! I still need to figure that one out. A mail server whose name cannot be trusted is worth zip in today's internet - and for good reason.
There is a workaround, they describe it pretty well here. But I will keep working on getting the reverse DNS lookup working, it sounds like a much better option.
Anyway, until then I have removed spamhaus from my RBLs, so I can receive emails again. It is better to err on the side of receiving too much spam rather than blocking everyone.
I hope this research into how this exact error message was caused may help some others, even if their root cause may be a different one. There is too much BS about this on the web - after reading through it for two hours I decided to do the research myself. Here is hoping I can save you the time by writing this post.
Update
Further experiments show this:
- when I switch off ipv6, spamhaus works fine, with ipv6 it does not
- my reverse DNS is working fine, so this can be excluded as the culprit
I ende up signing for the free tier of their data query service and configured postfix accordingly. Works like a charm now, including ipv6.
My guess is that their free-tier-verifiction process is somewhat broken when it comes to requests from ipv6 servers.
Anyway, there is a simple workaround, so this is off of my plate now :-)
No comments:
Post a Comment