Forget it, it’s solved 
Thank you!
Sorry, what think about this suggestion to change the line reject_rbl_client zen.spamhaus.org, with reject_rbl_client zen.spamhaus.org=127.0.0.[2..9], ?
1 Like
I fought for some time with this problem and ended up removing the DNA block lists from the postfix configuration. Since then I reliably get mails and also do not get more spam mails then before.
Edit: should the problem be fixed If I use my own DNA servers?
I was wrong, it is not solved, the problem is still there : (
So, we’re hopeful that version 12.1.30 should more exhaustively address the issues, in particular for incorrectly rejecting incoming emails. The fix mainly revolves around tweaking dnsmasq’s configuration to route spamhaus queries directly to spamhaus servers (instead of via an open resolver) - in particular this should also apply to queries from postfix and not just the diagnosis.
Selection of the relevant commits from 12.1.30:
- in DNSmasq conf, route queries about spamhaus to spamhaus’s own nameservers to avoid ‘open resolver’ errors (b45b9d4f4)
- remove reject_rbl_client
abuseat.orgfrom postfix conf because it’s in factspamshaus.orgsince a few years (42f0b91bf) - revert prefix prefix fix for diagnosis for spamhaus, which is obsolete now that dns queries for spamhaus are now route at dnsmasq level (51c468735)
- remove
abuseat.orgfor DNSbl to check in diagnosis, because it is in factspamhaus.orgsince a few years (6af034820) - when obtaining an ‘open resolver’ reason, advise admins to check their /etc/resolv.conf (#2201)
2 Likes
That particular fix has just been reverted in 12.1.31 while we investigate dnsmasq crashing due to it.
1 Like
Good morning, I installed the new Yunohost 12.1.31 update and ended up on the spam list again. Until now everything had been quiet. When I run the diagnosis in Yunohost, I get this suggestion — do I have to do that?
Deine IP-Adresse oder Domäne 65........ ist auf der Blacklist auf Spamhaus ZEN
- It looks like the reason mentions ‘open resolver’.
This usually means your server is not using its local DNS, but a public, open, one.
Check the contents of/etc/resolv.conf, it should containnameserver 127.0.0.1.
Since this file is usually automatically generated, do not edit it manually. Check your DHCP settings, or your VPN settings if you are using one, or if you used a Debian image made by, for example, a VPS provider, look for acloudinitconfiguration.
You are most welcome on the YunoHost support channels to get help on this issue.
The verbatim blacklist reason is: “Error: open resolver; https://check.spamhaus.org/returnc/pub/2001:19f0:5000:1800:5400:5ff:fe01:2dc5/” - Nachdem Sie herausgefunden haben, weshalb Sie auf die Blacklist gesetzt wurden und dies behoben haben, zögern Sie nicht, nachzufragen, ob Ihre IP oder Ihre Domäne von ZEN Blocklist | Combined IP DNSBLs for effective email filtering entfernt werden kann
AFAIU, @AT69, this is related to the revertion of the last fix, in 12.1.31 mentioned just above.
You may try to apply the workaround I mentioned in: Outbound mail to blocked: Spamhaus “open resolver” return code – need help with YunoHost DNS/Rspamd setup - #29 by oberger
change /usr/share/yunohost/conf/dnsmasq/plain/resolv.dnsmasq.conf to get rid of DNS4All, regen the config, and maybe also restart dnsmasq (systemctl restart dnsmasq), and check the diagnosis, which should then be green again… until a proper fix is published.
Here it seems to be fine.
Hope this doesn’t harm and add more side effects than it solves 
Great to hear about the work on tweaking dnsmasq.
IMHO tweaking the postfix configuration as follows would still be a good idea, independantly of dnsmasq channges:
-reject_rbl_client zen.spamhaus.org
+reject_rbl_client zen.spamhaus.org=127.0.0.[2..9]
The responses addressed mentioned above are documented by SpamHaus. I’m not allowed to post links here yet, so you’ll have to search the SpamHaus FAQ. Search “what do the 127 return codes mean in dnsbls”
Cheers
The suggested tweak above ensures that ignores PBL responses (10-11). Ranges are added to the PBL merely because they are residential addresses and block them assuming people don’t host their home mail server. I think that’s in direct opposition to the spirit of YunoHost.
This also ignores “Open Resolver” responses (254) which is indicates an issue with SpamHaus/dnsmasq, not an issue with the sender’s IP address. Postfix should never ban senders if SpamHaus replies 127.0.0.254.
2 Likes
So hopefully version 12.1.32 should address the issue and hopefull this time is the right way to address this…
6 Likes
Thank you very much. I installed the new version 12.1.32 and, lo and behold, the spam warning disappeared immediately. If all goes well, I won’t post in this thread again. 
THANK YOU! 
1 Like
The update to YunoHost 12.1.32 (stable) the diagnosis says that I have a problem with Spamhaus ZEN.
Which problem ?
have you try do a regen-conf for postfix ?
yunohost tools regen-conf postfix -n -d
Your IP or domain IPv4 is blacklisted on Spamhaus ZEN
Your IP or domain IPv6 is blacklisted on Spamhaus ZEN
It looks like the reason mentions ‘open resolver’.
This usually means your server is not using its local DNS, but a public, open, one.
Check the contents of /etc/resolv.conf, it should contain nameserver 127.0.0.1.
Yes, but that doesn’t solve the problem.
I used this command:
tail -f /var/log/mail.log
And
lsof -i :25
Did a test with mail-tester.com and here is the result:
Now the problem is solved, it’s hard to understand 
1 Like
it’s because it was a dry run
can you provide the logs of this command: yunohost tools regen-conf --with-diff --dry-run please ?
1 Like
It doesn’t make anything, but I have this problem that appears now… I don’t understand anything anymore
The logs of the command, please