Why is this happening to a sender such as outlook.com?
How do I turn off Spanhaus?
I think I’ve found the answer to 1. above but I’d like to get other opinions to confirm or set me straight.
The link in the error message points to a Spamhaus FAQ about open resolvers. Some months ago I added Cloudflare’s public DNS to my “Forwarders and resolvers” in Webmin BIND module. I have four entries there being my VPS host Vultr’s DNS and Cloudflare (1.1.1.1) in both IPv4 and IPv6.
I think that by using Cloudflare, Spamhaus does not like that they are an open resolver.
For issue 2, I tried to uncheck the two block list choices in Webmin > Postfix > SMTP client restrictions. The boxes unchecked and I saved, but when I went back to check the boxes were checked again. I restarted Postfix but still the boxes were checked.
When I manually edited /etc/postfix/main.cf to remove the references, then the change stuck. This is where I am now.
So I think that Spamhaus will not work reliably wen using a public DNS server, and that there may be a bug in the “SMTP client restrictions” section of Webmin.
Can anyone confirm my diagnosis? Any help will be much appreciated.
Peter
Thank you @stefan1959 for your reply.
My SpamAssassin has only a local.cf file so I guess we’re configured differently. I’m pretty sure that I took all the defaults when installing Virtualmin GPL a few years ago.
You checked my sender’s IP address against the blocklist, as I did, and it’s not there. I think Spamhaus is sending a “block this” reply because I got to Spamhaus through an open resolver (Cloudflare DNS).
I don’t use Cloudflare but entered their DNS to help when I was getting slow DNS responses from another forwarder. Maybe I should remove all forwarders and do root lookup for all non-local FQDNs.
On closer inspection I found that IP address 172.70.145.210 (and others referenced as open resolvers) are attributed to Cloudflare. Thus it appears that when I configured 1.1.1.1 as a resolver it is distributed to various actual DNS servers - which is quite understandable but I didn’t recognize it at first.
If I read Spamhaus T&Cs correctly they offer the free (and unregistered) service only to non-commercial organisations and the reason they do not accept open resolvers is that they hide the originators identity and might bypass Spamhaus’ request volume limits.
So the lesson I have learned is that if you want to use Spamhaus block lists as a free user, you must not use public DNS since they are open resolvers.
My attempt to speed up DNS queries by including public DNS servers in either “BIND>Forwarders and transfers”, or in “Network>Hostname and DNS Client” configuration is NOT a good idea.
Having removed these references the use of Spamhaus has returned to its normal and valuable operation.
The only unanswered issue is “Webmin>Postfix>SMTP Client restrictions” doesn’t appear to be able to remove RBLs by unchecking the checkbox.
@PeterP - I came across something similar. Here’s my post:
I’d found mentions on the internet about using a local caching nameserver (Unbound) to get around the 100K limit imposed by some RBLs. Just not got around to trying it out.