Outbound mail to blocked: Spamhaus “open resolver” return code – need help with YunoHost DNS/Rspamd setup

What type of hardware are you using: VPS bought online
What YunoHost version are you running: YunoHost 12.1.28
How are you able to access your server: SSH
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: no

Describe your issue

utbound mail to blocked: Spamhaus “open resolver” return code – need help with YunoHost DNS/Rspamd setup

Share relevant logs or error messages

Hi everyone,

my outgoing emails to server.de are being rejected. The bounce says:

“554 5.7.1 Service unavailable; Client host [52.103.57.11] blocked using cbl.abuseat.org; Error: open resolver; https://check.spamhaus.org/returnc/pub/2001:19f0:5000:1800:5400:5ff:fe01:2dc5/”

Spamhaus explains this is not my sender being listed, but that the recipient’s server is querying Spamhaus via public/open DNS resolvers, which triggers a special error code. However, my messages still get blocked at their side.

Hi @AT69

Is this Client host adress the one of your yunohost ?
Check it https://multirbl.valli.org to see if it is blacklisted.

Regards

Do you have ports 53 or 5353 open? These are dns server ports, if they are open, it means anyone on the internet can use it. Close them.

I encounter since yesterday the same problem.
A lot of persons forwared my the open resolver error message, when they’ve tried to send an e-mail to me.

<ME@myserver.de>: host myserver.de[45.xxx.xxx.xxx] said: 554 5.7.1 Service
   unavailable; Client host [145.xxx.xxx.xxx  //=server of sender] blocked using cbl.abuseat.org;
   Error: open resolver;
   https://check.spamhaus.org/returnc/pub/2001:19f0:5000:1800:5400:5ff:fe01:2dc5/
   (in reply to RCPT TO command)

According to the following query on my yunohost server, I should have the problem?

ME@myserver:/etc$ dig +short test.openresolver.com TXT @127.0.0.1
"open-resolver-detected"

Can I close the open resolver via yunohost admin settings?

No, it is not listed.

Yes, according to the firewall, UDP 53 and 5353 are open.

You may have to temporarily disable “Enable blocklists for incoming traffic” in the webadmin > Tools > YunoHost settings > Email
It will take time for the rejection to be removed

I did that, thank you. I closed ports 53 and 5353 and disabled the blocklists. If the message goes away, can I re-enable the blocklists?

2025-10-18_13-361326×436 70.2 KB

It’s just strange: when I enter my IP on Spamhaus, it shows no positive result.

Hey I’m just having the same issue here.
Messages from my backup disk provider (rsync.net) are rejected.

----- The following addresses had permanent fatal errors -----
my@email.domain
(reason: 554 5.7.1 Service unavailable; Client host [IPV6ADDRESS blocked using cbl.abuseat.org; Error: open resolver; https://check.spamhaus.org/returnc/pub/2001:19f0:5000:1800:5400:5ff:fe01:2dc5/)

I’m trying to whitelist rsync.net by

• Installing rspamd web interface
• Checking if the message was rejected => However it was not there. Seems like it didn’t reach even rspamd
• I updated the /var/lib/rspamd/surbl-whitelist.inc.local with rsync.net hoping it will whitelist the domain.
• Asked rsync to send me an email again.

I’ll keep you posted if the whitelisting has worked or not.

Probably the ipv6 that has issues.
You can disable ipv6 for emails in the webadmin (ipv6 is a headache)

Thanks I did too, I only have a pure IP4 and no IPV6. The server has been running for two years, never had a problem with it.

I juste removed as well the support of IPv6 for emails.
Nice to have a web config for that

Let’s see if rsync team can email me now.

Thanks for the help!

The issue should be reliably fixed in 12.1.29

Hello,
I’m getting the same error on my side.
If we disable IPv6 for emails, wouldn’t there be a risk of delivery issues if a sender is using IPv6?

… Just upgrade to 12.1.29

care to explain what was the cause of the issue and how it’s fixed ?

Sure, that was so much .. urrgh .. “fun”

Spamhaus doesn’t like “public DNS resolvers” (for context : in the context of mail blocklist, DNS queries are used to query the various blocklists to know if an IP/domain is listed as malicious or bad-reputation actor – and the easiest way to perform a DNS query is to just use a public DNS resolver, just like when you’re browsing the web or whatever).

Their website explains:

public recursive name servers act as an anonymizing service and enable large-scale users to hide behind them. Given the lack of transparency and inability to identify those who are abusing the free service, a difficult decision was made to add some public domain name servers to our access control list… ultimately blocking your query.

Hence why YunoHost was sometimes getting this “open resolver” as an answer to the queries … which doesn’t mean that your server is listed as a malicious or bad-reputation actor, just that Spamhaus refused to answer the query to know wether or not it is.

However, it didn’t happen all the time, because YunoHost uses a pool of .. public DNS resolvers, some are being refused by Spamhaus, some others aren’t. In particular, the only one that Spamhaus refuses to answer to is DNS4all, which we added a few months ago.

The right fix is to not use any public resolver at all to query spamhaus, but poke directly on Spamhaus NS servers, which are listed for example here.

You can see the implementation in this commit

I re-enabled IPv6 support and switched to 12.1.29 now.
Thanks for the quick update ! You guys are the best !

Regards,

One last question: If something like this happens again, will I find traces in the mail.log?

If I’m right: No, because a rejected mail like this won’t never arrive on my server?