What type of hardware are you using: Virtual machine
What YunoHost version are you running: 12.1.28
How are you able to access your server: The webadmin

Describe your issue

Bonjour,

Comme le collègue de ce sujet Utbound mail to blocked: Spamhaus “open resolver” return code – need help with YunoHost DNS/Rspamd setup - #8 by AT69 J’ai aussi un problème avec ce " Error: open resolver".
j’ai reçu hier matin le mail de diagnostique yunohost me signalant une erreur:

=================================
Email (mail)

[ERROR] Your IP or domain XX.XX.XX.XX is blacklisted on Spamhaus ZEN

• The blacklist reason is: “Error: open resolver; https://check.spamhaus.org/returnc/pub/2001:19f0:5000:1800:5400:5ff:fe01:2dc5/”
• After identifying why you are listed and fixing it, feel free to ask for your IP or domain to be removed on ZEN Blocklist | Combined IP DNSBLs for effective email filtering

Le même mail reçu hier soir mais étrangement, rien ce matin (pourtant encore présent dans le diagnostique).
Contrairement au sujet cité, je n’ai pas activé l’antispam de yunohost, par contre, je n’ai pas de problème pour envoyer ou recevoir des mails (testé depuis et vers mes comptes Hotmail et pro (microsoft)).
J’ai aussi vérifié et je suis blacklisté sur https://rbldns.ru Le port 53 de yunohost était ouvert (je l’ai fermé à l’instant) mais ce port n’est pas routé vers l’extérieur (yuno est derrière un routeur Opnsense en DMZ sur la Freebox )
Un ami a exactement le même problème.
Une idée de pourquoi j’ai ce message ?

Share relevant logs or error messages

The automatic diagnosis on your YunoHost server identified some issues on your server. You will find a description of the issues below. You can manage those issues in the ‘Diagnosis’ section in your webadmin.

=================================
Email (mail)

[ERROR] Your IP or domain XX.XX.XX.XX is blacklisted on Spamhaus ZEN

• The blacklist reason is: “Error: open resolver; https://check.spamhaus.org/returnc/pub/2001:19f0:5000:1800:5400:5ff:fe01:2dc5/”
• After identifying why you are listed and fixing it, feel free to ask for your IP or domain to be removed on ZEN Blocklist | Combined IP DNSBLs for effective email filtering

Why has my email not been delivered?

• The problem is with the recipient’s email server configuration.
• This is not due to an issue with your email set-up.
• It is not because you are listed on one of our blocklists.

Been looking into this the other day, my understanding now is that it’s because we have DNS4all listed in the DNS resolvers, and spamhaus doesn’t answer to request made via some “open resolvers” hence the message..

Will try to work on a fix but in the meantime there is actually no issue with your email setup, it’s not even blocklisted despite what the message tries to imply.

oui, j’ai bien suivi ce lien et lu la même chose, ce serait donc un problème avec le “test mail” du diagnostique de yunohost ? Une mise à jour à venir ?

Edit: je viens de relancer un diagnostique de yunohost, plus de problème sur les email et je viens de vérifier sur https://multirbl.valli.org et je ne suis plus blacklisté …

The issue should be reliably fixed in 12.1.29

bon, je pensais que c’était réglé mais non …

=================================
Email (mail)

[ERROR] Your IP or domain XX.XX.XX.XX is blocklisted on Composite Blocking List

• The blocklist reason is: "Error: open resolver; https://check.spamhaus.org/returnc/pub/2001:19f0:5000:1800:5400:5ff:fe01:2dc5/"
• After identifying why you are listed and fixing it, feel free to ask for your IP or domain to be removed on cbl.abuseat.org

Hmpf yeah maybe we need to apply the same fix to abuseat.org CBL that we did for spamhaus

I have also few problems with abuseat on different servers… I hope there is a solution… For now I am thinking about comment the line reject_rbl_client cbl.abuseat.org, temporally…

I am also a bit desperate… Would that fix it temporarily?

How do I do that?
Where is that line?

I guess the risks are just that spam can enter, am I right?
I guess we can perfectly afford that little risk, especially when compared to receive no mail.

You also have in the admin webui a function to comment all lines in Parameters Yunohost => AntiSpam it will comment the lines concerned in /etc/postfix/main.cf

Or you can comment just reject_rbl_client cbl.abuseat.org like this #reject_rbl_client cbl.abuseat.org in the file /etc/postfix/main.cf

In the admin webui you can go here

Capture d’écran du 2025-10-22 22-29-561596×140 7.21 KB

and choose No the button AntiSpam

Capture d’écran du 2025-10-22 22-31-471578×286 19.2 KB

It will comment the 3 lines

#    reject_rbl_client bl.spamcop.net,
#    reject_rbl_client cbl.abuseat.org,
#    reject_rbl_client zen.spamhaus.org

Edited it and reloaded the service.
I hope it works.
I’ll put it back as it was once there is an update available with the fix.

Thank you!

Someone has just told zhe got a “blocked using zen.spamhaus.org”, so I have also commented out that line.

J’ai des rejets de mails légitimes depuis la dernière mise à jour de Yunohost avec cbl.abuseat.org. J’étais passé par ici mais j’avais cru comprendre que c’était seulement le diagnostic qui provoquait ça.
Ça me le fait également pour certains mails légitimes ce qui est plutôt embêtant (de façon aléatoire apparemment) - Est-ce bien lié et pourrai-je réactiver l’option dans la webadmin une fois que le fix sera publié?

So, we’re hopeful that version 12.1.30 should more exhaustively address the issues, in particular for incorrectly rejecting incoming emails. The fix mainly revolves around tweaking dnsmasq’s configuration to route spamhaus queries directly to spamhaus servers (instead of via an open resolver) - in particular this should also apply to queries from postfix and not just the diagnosis.

Selection of the relevant commits from 12.1.30:

• in DNSmasq conf, route queries about spamhaus to spamhaus’s own nameservers to avoid ‘open resolver’ errors (b45b9d4f4)
• remove reject_rbl_client abuseat.org from postfix conf because it’s in fact spamshaus.org since a few years (42f0b91bf)
• revert prefix prefix fix for diagnosis for spamhaus, which is obsolete now that dns queries for spamhaus are now route at dnsmasq level (51c468735)
• remove abuseat.org for DNSbl to check in diagnosis, because it is in fact spamhaus.org since a few years (6af034820)
• when obtaining an ‘open resolver’ reason, advise admins to check their /etc/resolv.conf (#2201)

Hello, I have an up-to-date YNH and still got these errors :

image1323×850 122 KB

I checked resolv.conf and it contains only nameserver 127.0.0.1

I regenerated and checked the postfix and dnsmasq config, everything is as default, I have no manually modified config files.

I need help to find what is causing the issue here.

Close ports 53 and 5353 then wait

Hello, the ports are already closed.

Hello, I have newly again some problems with openresolver, this time with a yunohost 12.1.33.

Somenoene advise me somme message were not delivered with because of zenspamhaus have problems with openresolver…

Asking on chat support I have try

cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.

nameserver 127.0.0.1

cat /var/spool/postfix/etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.

nameserver 127.0.0.1


dig +short 23.129.209.213.zen.spamhaus.org
127.0.0.2
127.0.0.9

all normal, so I have try as someone explain edit /usr/share/yunohost/conf/dnsmasq/plain/resolv.dnsmasq.conf to comment the DNS4all Ips resolver and dor a yunohost tools regen-conf dsnmasq -f . The message could arrive without error this time.

But later I found this diagnosis

[ERROR] Your IP or domain XXX.XXX.XXX.XXX is blocklisted on Spamhaus ZEN
  - It looks like the reason mentions 'open resolver'.This usually means your server is not using its local DNS, but a public, open, one. Check the contents of /etc/resolv.conf, it should contain nameserver 127.0.0.1.Since this file is usually automatically generated, do not edit it manually. Check your DHCP settings, or your VPN settings if you are using one, or if you used a Debian image made by, for example, a VPS provider, look for a cloudinit configuration. You are most welcome on the YunoHost support channels to get help on this issue. The verbatim blacklist reason is: "Error: open resolver; https://check.spamhaus.org/returnc/pub/2001:xxx:x:xxx::1/"
  - After identifying why you are listed and fixing it, feel free to ask for your IP or domain to be removed on https://www.spamhaus.org/zen/

[ERROR] Your IP or domain 2001:xxx:x:xxx::1 is blocklisted on Spamhaus ZEN
  - It looks like the reason mentions 'open resolver'.This usually means your server is not using its local DNS, but a public, open, one. Check the contents of /etc/resolv.conf, it should contain nameserver 127.0.0.1.Since this file is usually automatically generated, do not edit it manually. Check your DHCP settings, or your VPN settings if you are using one, or if you used a Debian image made by, for example, a VPS provider, look for a cloudinit configuration. You are most welcome on the YunoHost support channels to get help on this issue. The verbatim blacklist reason is: "Error: open resolver; https://check.spamhaus.org/returnc/pub/2001:xxx:x:xxx::1/"
  - After identifying why you are listed and fixing it, feel free to ask for your IP or domain to be removed on https://www.spamhaus.org/zen/

and surprise !! this time the command dig return something different !!

dig +short 23.129.209.213.zen.spamhaus.org
127.255.255.254

I don’t really understand what’s happening !!

I found also as in another discussion I have something similar using cryptpad…

Perhaps stupid and nothing relevant, but the file needed for the sandbox in cryptpad use these lines (and also in domain cryptpad nginx), but pehaps nothing to do with this…

-    # OCSP settings
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_trusted_certificate /etc/yunohost/certs/cryptpad.domaine.tld/crt.pem;
-    resolver 1.1.1.1 9.9.9.9 valid=300s;
-    resolver_timeout 5s;

Well why is so complicated !!

well after try debugging, I could fix (temporally ?) the issue… As explained below, something is strange:

dnsmasq ~randomly picks a resolver in resolver pool, sometimes it picks DNS4all, sometimes it picks another one…

the question is why is it picking a resolver in the resolver pool despite that we explicitly define the resolver to use for spamhaus queries in /etc/dnsmasq.d/spamhaus
and we even see explicitly in the journalctl logs

Nov 02 16:19:59 dnsmasq[2192463]: using nameserver 2a00:12a8:8000::fff0:3#53 for domain *.zen.spamhaus.org
Nov 02 16:19:59 dnsmasq[2192463]: using nameserver 2a05:9404::e0#53 for domain *.zen.spamhaus.org
Nov 02 16:19:59 dnsmasq[2192463]: using nameserver 2a05:f480:2000:1246:9998:cf46:6cf8:1e7a#53 for domain *.zen.spamhaus.org
Nov 02 16:19:59 dnsmasq[2192463]: using nameserver 70.34.211.66#53 for domain *.zen.spamhaus.org
Nov 02 16:19:59 dnsmasq[2192463]: using nameserver 82.118.21.219#53 for domain *.zen.spamhaus.org

I have try comment or uncomment the DNS4all in the file /usr/share/yunohost/conf/dnsmasq/plain/resolv.dnsmasq.conf and yunohost regen-conf dsnmasq -f…

After a long time it comes back to have a correct value with dig

 dig +short 23.129.209.213.zen.spamhaus.org
127.0.0.2
127.0.0.9

dig +short 23.129.209.213.zen.spamhaus.org @127.0.0.1
127.0.0.2
127.0.0.9

and the diagnosis also come back with no errors…

I have keep the values commented for DNS4all, but it is not really normal, tomorrow SpamHaus could decide reject another public resolver and even it should use for his queries the file /etc/dnsmasq.d/spamhaus…