Diagnosis : [ERROR] Your IP or domain is blocklisted on Spamhaus ZEN

Support
1

What type of hardware are you using: VPS bought online
What YunoHost version are you running: 12.1.37 stable
How are you able to access your server: The webadmin
SSH
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: no

Describe your issue

Hello :slight_smile:

Post written in english, but you can also reply in french.

Just trying to solve an “old” issue, because i’m getting tired of receiving the “Issues found by automatic diagnosis” twice a day :smiley:

Diagnosis tells that my IP or domain is being blocklisted on Spamhaus for both ipv4 and ipv6. Yunohost is hosted on a Hetzner VPS.

I tried to check the content of /etc/resolv.conf as recommended in the error message :

cat /etc/resolve.conf

Result:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND – YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run “resolvectl status” to see details about the actual nameservers.

And i’m not sure what to do next?

Thanks in advance for anyone willing to help :wink:

Share relevant logs or error messages

=================================
Email (mail)

[ERROR] Your IP or domain 159.69.40.149 is blocklisted on Spamhaus ZEN

  • It looks like the reason mentions ‘open resolver’.This usually means your server is not using its local DNS, but a public, open, one. Check the contents of /etc/resolv.conf, it should contain nameserver 127.0.0.1.Since this file is usually automatically generated, do not edit it manually. Check your DHCP settings, or your VPN settings if you are using one, or if you used a Debian image made by, for example, a VPS provider, look for a cloudinit configuration. You are most welcome on the YunoHost support channels to get help on this issue. The verbatim blacklist reason is: “Error: open resolver; https://check.spamhaus.org/returnc/pub/2a01:4f8:1c0c:4db9::1/”
  • After identifying why you are listed and fixing it, feel free to ask for your IP or domain to be removed on ZEN Blocklist | Combined IP DNSBLs for effective email filtering

[ERROR] Your IP or domain 2a01:4f8:1c0c:4db9::1 is blocklisted on Spamhaus ZEN

  • It looks like the reason mentions ‘open resolver’.This usually means your server is not using its local DNS, but a public, open, one. Check the contents of /etc/resolv.conf, it should contain nameserver 127.0.0.1.Since this file is usually automatically generated, do not edit it manually. Check your DHCP settings, or your VPN settings if you are using one, or if you used a Debian image made by, for example, a VPS provider, look for a cloudinit configuration. You are most welcome on the YunoHost support channels to get help on this issue. The verbatim blacklist reason is: “Error: open resolver; https://check.spamhaus.org/returnc/pub/2a01:4f8:1c0c:4db9::1/”
  • After identifying why you are listed and fixing it, feel free to ask for your IP or domain to be removed on ZEN Blocklist | Combined IP DNSBLs for effective email filtering
2

Hmpf apparently Spamhaus also refuses queries from Hetzner (in addition to OVH IPv6) : Email Security | Query our DNSBLs via Hetzner's infrastructure? Move to free Data Query Service | Resources

It’s not clear wether it’s only via IPv6 so you may give a try to :
a) commenting-out the IPv6 in /etc/dnsmasq/spamhaus
b) restarting dnsmasq
c) relauching the email part of the diagnosis, see if the issue disapears

If that doesn’t do it, you may try to:
a) commenting every line in /etc/dnsmasq/spamhaus
b) commenting the DNS4all IPs in /etc/resolv.dnsmasq.conf (these are those ones : yunohost/conf/dnsmasq/plain/resolv.dnsmasq.conf at dev ¡ YunoHost/yunohost ¡ GitHub but they will be a shuffled order)
c) restarting dnsmasq
d) relauching the email part of the diagnosis, see if the issue disapears

3

Hi @Aleks

Seems to solve the issue.

But doing so, I now have a diagnosis alert because of modifying a configuration file :smiley: and informing that this file won’t be updated in next updates.

If I have to choose between ignoring the alerts about being blocklisted on Spamhaus or ignoring an alert about a modified configuration file (and having to keep in mind to check the possible diffs between my file and the new versions), i will stay with the former.

Anyway, thanks for your help!

4

The change in /etc/dnsmasq/spamhaus is not just about “getting rid of the diagnosis in the warning”. The postfix configuration uses spamhaus to filter incoming emails that are likely to be spam (based on their domain/IP). If Spamhaus queries are not working properly (the “open resolver” issue), all incoming emails are likely to be rejected as spam.

1 Like
5

My bad, i misunderstood!

Neverless as i don’t use at all incoming mail in any of my apps, still “easier” (less time and mind consuming) for me to keep ignoring spamhaus diagnosis alert than running ‘yunohost tools regen-conf dnsmasq --dry-run --with-dif’ after each YunoHost update to check if there is or not a significant change. And if it is the case to ‘yunohost tools regen-conf dnsmasq --force’ and comment out again ipv6 for spamhaus.

(however i’m grateful for your answers; i am just trying to go for the less impacting choice in my situation).

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.