[SOLVED] Spamhaus false positive blocks and Virtualmin management of Postfix

SYSTEM INFORMATION
OS type and version CentOS Linux 7.9.2009
Virtualmin version 7.1

¦ Authentic theme ¦ ¦ 19.99 ¦
¦ Postfix version ¦ ¦ 2.10.1 ¦
¦ Wemin version ¦ ¦ 1.999 ¦

In recent days many emails are being rejected by Postfix due to a false positive with Spamhaus.
Typical mail log messages are

Blockquote

Aug 8 23:40:37 web1 postfix/smtpd[30941]: connect from mail-sy4aus01on2138.outbound.protection.outlook.com[40.107.107.138]
Aug 8 23:40:38 web1 postfix/smtpd[30941]: NOQUEUE: reject: RCPT from mail-sy4aus01on2138.outbound.protection.outlook.com[40.107.107.138]: 554 5.7.1 Service unavailable; Client host [40.107.107.138] blocked using zen.spamhaus.org; Error: open resolver; https://www.spamhaus.org/returnc/pub/172.70.145.210; from=michaelb@xxx.com.au to=peter@xxx.com proto=ESMTP helo=<AUS01-SY4-obe.outbound.protection.outlook.com>
Aug 8 23:40:38 web1 postfix/smtpd[30941]: disconnect from mail-sy4aus01on2138.outbound.protection.outlook.com[40.107.107.138]

Blockquote

There are two issues

  1. Why is this happening to a sender such as outlook.com?
  2. How do I turn off Spanhaus?

I think I’ve found the answer to 1. above but I’d like to get other opinions to confirm or set me straight.
The link in the error message points to a Spamhaus FAQ about open resolvers. Some months ago I added Cloudflare’s public DNS to my “Forwarders and resolvers” in Webmin BIND module. I have four entries there being my VPS host Vultr’s DNS and Cloudflare (1.1.1.1) in both IPv4 and IPv6.
I think that by using Cloudflare, Spamhaus does not like that they are an open resolver.

For issue 2, I tried to uncheck the two block list choices in Webmin > Postfix > SMTP client restrictions. The boxes unchecked and I saved, but when I went back to check the boxes were checked again. I restarted Postfix but still the boxes were checked.
When I manually edited /etc/postfix/main.cf to remove the references, then the change stuck. This is where I am now.

So I think that Spamhaus will not work reliably wen using a public DNS server, and that there may be a bug in the “SMTP client restrictions” section of Webmin.

Can anyone confirm my diagnosis? Any help will be much appreciated.
Peter

I thought that was done in SpamAssassin.

P.S. That is IP is ok when I checked https://check.spamhaus.org/

In cloudflare DNS have you got MX settings as DNS only not proxy

Thank you @stefan1959 for your reply.
My SpamAssassin has only a local.cf file so I guess we’re configured differently. I’m pretty sure that I took all the defaults when installing Virtualmin GPL a few years ago.

What I do have (had) in Postfix main.cf is a line for smtp_client_restrictions. The second last in the screen shot.

Which I think represents the two last checkboxes in the SMTP Client Restrictions screen

You checked my sender’s IP address against the blocklist, as I did, and it’s not there. I think Spamhaus is sending a “block this” reply because I got to Spamhaus through an open resolver (Cloudflare DNS).
I don’t use Cloudflare but entered their DNS to help when I was getting slow DNS responses from another forwarder. Maybe I should remove all forwarders and do root lookup for all non-local FQDNs.

I appreciate your help.

On closer inspection I found that IP address 172.70.145.210 (and others referenced as open resolvers) are attributed to Cloudflare. Thus it appears that when I configured 1.1.1.1 as a resolver it is distributed to various actual DNS servers - which is quite understandable but I didn’t recognize it at first.

If I read Spamhaus T&Cs correctly they offer the free (and unregistered) service only to non-commercial organisations and the reason they do not accept open resolvers is that they hide the originators identity and might bypass Spamhaus’ request volume limits.

So the lesson I have learned is that if you want to use Spamhaus block lists as a free user, you must not use public DNS since they are open resolvers.
My attempt to speed up DNS queries by including public DNS servers in either “BIND>Forwarders and transfers”, or in “Network>Hostname and DNS Client” configuration is NOT a good idea.
Having removed these references the use of Spamhaus has returned to its normal and valuable operation.

The only unanswered issue is “Webmin>Postfix>SMTP Client restrictions” doesn’t appear to be able to remove RBLs by unchecking the checkbox.

@PeterP - I came across something similar. Here’s my post:

I’d found mentions on the internet about using a local caching nameserver (Unbound) to get around the 100K limit imposed by some RBLs. Just not got around to trying it out.

HIH

Dibs

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.