Outbound mail to blocked: Spamhaus “open resolver” return code – need help with YunoHost DNS/Rspamd setup

Support
63
yunohost tools regen-conf --with-diff --dry-run 
nginx: 
  applied: 
  pending: 
    /etc/nginx/conf.d/sandbox.cryptpad.domaine.tld.conf: 
      diff: @@ -1,75 +0,0 @@
-# Note this is a mostly a copy of https://github.com/YunoHost/yunohost/blob/dev/conf/nginx/server.tpl.conf
-# But with some cleanup of all not necessary things
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name sandbox.cryptpad.domaine.tld;
-
-    include /etc/nginx/conf.d/acme-challenge.conf.inc;
-
-    location ^~ '/.well-known/ynh-diagnosis/' {
-        alias /var/www/.well-known/ynh-diagnosis/;
-    }
-
-    # Note that this != "False" is meant to be failure-safe, in the case the redrect_to_https would happen to contain empty string or whatever value. We absolutely don't want to disable the HTTPS redirect *except* when it's explicitly being asked to be disabled. #}
-    location / {
-        return 301 https://$host$request_uri;
-    }
-
-    include /etc/nginx/conf.d/yunohost_http_errors.conf.inc;
-
-    access_log /var/log/nginx/cryptpad.domaine.tld-access.log;
-    error_log /var/log/nginx/cryptpad.domaine.tld-error.log;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name sandbox.cryptpad.domaine.tld;
-
-    include /etc/nginx/conf.d/security.conf.inc;
-
-    ssl_certificate /etc/yunohost/certs/cryptpad.domaine.tld/crt.pem;
-    ssl_certificate_key /etc/yunohost/certs/cryptpad.domaine.tld/key.pem;
-
-    more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
-
-    include /etc/nginx/conf.d/cryptpad-shared.conf.inc;
-
-    # We consider that the CA is letsencrypt but yes it could be not allways the case
-    # This should be improved mybe at some point if this is a problem in some cases
-
-    # OCSP settings
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_trusted_certificate /etc/yunohost/certs/cryptpad.domaine.tld/crt.pem;
-    resolver 1.1.1.1 9.9.9.9 valid=300s;
-    resolver_timeout 5s;
-
-    access_log /var/log/nginx/cryptpad.domaine.tld-access.log;
-    error_log /var/log/nginx/cryptpad.domaine.tld-error.log;
-
-    location / {
-        proxy_pass            http://localhost:3000;
-        proxy_set_header      X-Real-IP $remote_addr;
-        proxy_set_header      Host $host;
-        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-        client_max_body_size  150m;
-
-        proxy_http_version    1.1;
-        proxy_set_header      Upgrade $http_upgrade;
-        proxy_set_header      Connection upgrade;
-    }
-
-    location ^~ /cryptpad_websocket {
-        proxy_pass            http://localhost:3003;
-        proxy_set_header      X-Real-IP $remote_addr;
-        proxy_set_header      Host $host;
-        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-
-        proxy_http_version    1.1;
-        proxy_set_header      Upgrade $http_upgrade;
-        proxy_set_header      Connection upgrade;
-    }
-}
      status: unmanaged
Error: open resolver