I’ve now updated to 12.1.29 as well. Can I reopen ports 53 and 5353, or should I keep them closed? Can I enable ‘blocklists for incoming traffic’ again, or should I leave it disabled? And what about email with the IPv6 setting — should I turn everything back on? Sorry for my questions, but I had done this beforehand.
I just can tell you, that I’ve decided to keep the deactivation of the incoming mail blocklist, because I’ve found a lot of false positives while browsing my own mail.log. I well check the log frequently the next weeks to identify possible spam impacts.
For your concrete ports: What application uses these?
1 Like
Let them closed unless you are at home, using Adguard home and these ports are closed on your router. They are not meant to be publicly open.
Have a good read :
2 Likes
Thank you very much for your contribution; I’ll do that as well. 
THANK YOU, I’ll read it carefully, but ports 53 and 5353 will remain closed. Many thanks for your help.
Hmmm… it seems we still have an issue although we updated YNH to 12.1.29.
Still:
Client host [XXXX] blocked using cbl.abuseat.org; Error: open
resolver;
https://check.spamhaus.org/returnc/pub/2001:19f0:5000:1800:5400:5ff:fe01:2dc5/
(in reply to RCPT TO command)
OK, if I try this:
5.c.d.2.1.0.e.f.f.f.5.0.0.0.4.5.0.0.8.1.0.0.0.5.0.f.9.1.1.0.0.2.ip6.arpa domain name pointer ams1.dns4all.eu.
Hmmm… OK, so there’s an issue with something related to: ams1.dns4all.eu
Let’s check your commit at: diagnosis/email/dnsbl: fix infamous issue with spamhaus returning 'op… · YunoHost/yunohost@396e5d3 · GitHub :
Hmmm… this mentions “Use whatever is in /etc/resolv.conf, which in the nominal case will be dnsmasq which itself uses /ec/resolv.dnsmasq.conf etc.” (should be /etc/resolv.dnsmasq.conf, btw).
So:
# cat /etc/resolv.dnsmasq.conf
nameserver 194.150.168.168
nameserver 2a0c:e300::101
nameserver 89.234.141.66
nameserver 185.233.100.101
nameserver 2a0c:e300::100
nameserver 194.0.5.3
nameserver 2a0c:e300::1337
nameserver 2001:1608:10:25::9249:d69b
nameserver 2a00:5881:8100:1000::3
nameserver 185.233.100.100
nameserver 2001:1608:10:25::1c04:b12f
nameserver 84.200.70.40
nameserver 45.67.81.23
nameserver 2001:678:8::3
Aha :
$ host 2001:678:8::3
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.0.8.7.6.0.1.0.0.2.ip6.arpa domain name pointer resolver.dns4all.eu.
Hmmm… Am I right there ought to be something else to be done, to fix the issue ? I don’t understand what dnsmasq does here exactly… something standard on a YNH install ? The comment above isn’t really clear to me.
@Aleks Is the diag script in your commit sufficient, or do we have to perform something more after the update to 12.1.29 ?
I’ve tried removing entries related to dns4all from the /etc/resolv.dnsmasq.conf file, and got:
--- a/resolv.dnsmasq.conf
+++ b/resolv.dnsmasq.conf
@@ -3,7 +3,6 @@ nameserver 2a0c:e300::101
nameserver 89.234.141.66
nameserver 185.233.100.101
nameserver 2a0c:e300::100
-nameserver 194.0.5.3
nameserver 2a0c:e300::1337
nameserver 2001:1608:10:25::9249:d69b
nameserver 2a00:5881:8100:1000::3
@@ -11,4 +10,3 @@ nameserver 185.233.100.100
nameserver 2001:1608:10:25::1c04:b12f
nameserver 84.200.70.40
nameserver 45.67.81.23
-nameserver 2001:678:8::3
and then it seems we no longer have mail issues reported…
But, then the /etc/resolv.dnsmasq.conf file is reported modified in the diags…
But when I’m trying the following it seems I could regenerate it:
# yunohost tools regen-conf dnsmasq --dry-run --with-diff
Warning: The configuration file '/etc/resolv.dnsmasq.conf' has been manually modified and will not be updated
dnsmasq:
applied:
pending:
/etc/resolv.dnsmasq.conf:
diff: @@ -1,12 +1,14 @@
+nameserver 84.200.70.40
+nameserver 89.234.141.66
+nameserver 2001:1608:10:25::1c04:b12f
+nameserver 2a0c:e300::101
+nameserver 2a00:5881:8100:1000::3
nameserver 194.150.168.168
-nameserver 2a0c:e300::101
-nameserver 89.234.141.66
+nameserver 2001:678:8::3
nameserver 185.233.100.101
+nameserver 185.233.100.100
+nameserver 45.67.81.23
+nameserver 2a0c:e300::1337
nameserver 2a0c:e300::100
-nameserver 2a0c:e300::1337
nameserver 2001:1608:10:25::9249:d69b
-nameserver 2a00:5881:8100:1000::3
-nameserver 185.233.100.100
-nameserver 2001:1608:10:25::1c04:b12f
-nameserver 84.200.70.40
-nameserver 45.67.81.23
+nameserver 194.0.5.3
status: modified
However, in the above, if I don’t see 2001:678:8::3 appearing again, it seems that 194.0.5.3 would be restored (resolver.dns4all.eu)…
Is there anything adviceable here ?
Maybe the proper way to go would be to remove DNS4all entries in /usr/share/yunohost/conf/dnsmasq/plain/resolv.dnsmasq.con:
# diff -Naur /usr/share/yunohost/conf/dnsmasq/plain/resolv.dnsmasq.conf.orig /usr/share/yunohost/conf/dnsmasq/plain/resolv.dnsmasq.conf
--- /usr/share/yunohost/conf/dnsmasq/plain/resolv.dnsmasq.conf.orig 2025-10-20 12:50:12.089230400 +0200
+++ /usr/share/yunohost/conf/dnsmasq/plain/resolv.dnsmasq.conf 2025-10-20 12:50:20.657384672 +0200
@@ -24,6 +24,3 @@
nameserver 2001:1608:10:25::1c04:b12f
nameserver 84.200.70.40
nameserver 2001:1608:10:25::9249:d69b
-# DNS4all
-nameserver 194.0.5.3
-nameserver 2001:678:8::3
and yunohost tools regen-conf dnsmasq -f ?
I can only report that since the new YunoHost update I sometimes appear on the spam list and then not again. So the problem doesn’t seem fully resolved. As mentioned, ports 53 and 5353 are closed, IPv6 is off, and the spam list is disabled.
Yeah as I was saying in another thread, mayybe we need to apply the same fix to abuseat.org CBL that we did for spamhaus x_x …
No there isnt anything to do on your side
Using DNS4all is legit, I don’t think we want to just trash them just because of the ultra-specific case of Spamhaus and CBL DNSBL refusing to answer via this specific resolver …
Contrarily to what I thought initially, I doubt ports 53/5353 or IPv6 are related to this issue. Just do whatever you want about these … though personally I would tend to not open port 53 / 5353 unless you make sure they are only exposed on your local network
Ah, yes, I was mistaken by thinking the complaint was from the same third party, but this isn’t spamhaus, indeed. Good catch.
Thanks for your help
Thanks for the fix… I have upgraded yunohost servers and it fixed same issues…
Ils abuse(nt)
1 Like
Yes, that’s right—I was on the list too, but the message went away again. In any case, thank you very much for your efforts. A loyal donor.
Thank you for your valuable tips, and I hope my question didn’t cause you too much work—otherwise, I apologize for that.
I see that post and I have a different solution. I had resolve this problem with chat GPT :
“If you use unbound”
sudo nano /etc/unbound/unbound.conf.d/yunohost.conf
interface: 127.0.0.1
sudo systemctl restart unbound
if you use : dnsmasq
sudo nano /etc/dnsmasq.conf
listen-address=127.0.0.1
sudo systemctl restart dnsmasq
Be carreful I’m a newbie. If I can help… master or admin can test this and fix the issue.
Hi @Aleks
or whoever who could explain me… I’m not sure I fully understand what happened.
On the one hand there is this rejection message received by sender which says Client host [11.11.11.11] blocked using cbl.abuseat.org. So, what I understand here is that our yunohost server is considering client 11.11.11.11 (which is just a sending server connecting to our receiving yunohost server) as an abuser according to cbl.abuseat.org. Is that what the message is saying?
On the other hand, there is your explanation. If I understood correctly there is a problem with some of the DNS server addresses configured at Yunohost that makes Spamhaus or Abuseat or whoever detect queries from an ‘open resolver’ so they decide not to answer them. Then, as Yunohost does not get any answer to their DNS queries asking about the spam status of the sending server, then Yunohost automatically considers it as a possible abuser and rejects the receiving message reporting this half truth (“blocked using cbl.abuseat.org”). Is that what you mean? Is that what is happening?
And, by the way, does the update include the fix for cbl.abuseat.org too? or only for Spamhaus?
Thank you!
I upgraded to 12.1.29 but keep having the same problem. I don’t receive email and senders get the same rejection message as before : (
554 5.7.1 Service
unavailable; Client host [11.11.11.11] blocked using cbl.abuseat.org;
Error: open resolver;
https://check.spamhaus.org/returnc/pub/20001:...The situation is not fixed for abuseat, we “just” need to tweak to trigger the same logic as the previous fix …
AlsoiIf i understand correctly, your issue is not about the YunoHost diagnosis results (which is what was fixed, at least for spamhaus) but rather the reception (?) or sending of email from your server … for which we may need another fix in the postfix conf, maybe inspired by what somebody mentioned somewhere else to ignore some results code from spamhaus/abuseat
As my problem seems to be different, I have created this new thread.
Any suggestion, even though it is just a temporary fix, it is greatly appreciated.