So, we’re hopeful that version 12.1.30 should more exhaustively address the issues, in particular for incorrectly rejecting incoming emails. The fix mainly revolves around tweaking dnsmasq’s configuration to route spamhaus queries directly to spamhaus servers (instead of via an open resolver) - in particular this should also apply to queries from postfix and not just the diagnosis.
Selection of the relevant commits from 12.1.30:
- in DNSmasq conf, route queries about spamhaus to spamhaus’s own nameservers to avoid ‘open resolver’ errors (b45b9d4f4)
- remove reject_rbl_client
abuseat.orgfrom postfix conf because it’s in factspamshaus.orgsince a few years (42f0b91bf) - revert prefix prefix fix for diagnosis for spamhaus, which is obsolete now that dns queries for spamhaus are now route at dnsmasq level (51c468735)
- remove
abuseat.orgfor DNSbl to check in diagnosis, because it is in factspamhaus.orgsince a few years (6af034820) - when obtaining an ‘open resolver’ reason, advise admins to check their /etc/resolv.conf (#2201)