YunoHost really doesn’t like manual editing of configuration files, and strongly recommend using the admin interface to tweak settings.
I’d be nice to have more fine-grained control for DNSBL in YunoHost, or a way to tweak/override postfix’s configuration without breaking automatic config generation.
Is this the right place to discuss this? Or should this be raised in a bugtracker?
Replying to myself: it’s possible via a hook but requires some scripting. See configuration on “hooks” within YunoHost’s doc. In particular the hook “conf_regen”.
The forum won’t let me post the direct link to the doc because I’m a new user.
So, we’re hopeful that version 12.1.30 should more exhaustively address the issues, in particular for incorrectly rejecting incoming emails. The fix mainly revolves around tweaking dnsmasq’s configuration to route spamhaus queries directly to spamhaus servers (instead of via an open resolver) - in particular this should also apply to queries from postfix and not just the diagnosis.
Selection of the relevant commits from 12.1.30:
in DNSmasq conf, route queries about spamhaus to spamhaus’s own nameservers to avoid ‘open resolver’ errors (b45b9d4f4)
remove reject_rbl_client abuseat.org from postfix conf because it’s in fact spamshaus.org since a few years (42f0b91bf)
revert prefix prefix fix for diagnosis for spamhaus, which is obsolete now that dns queries for spamhaus are now route at dnsmasq level (51c468735)
remove abuseat.org for DNSbl to check in diagnosis, because it is in fact spamhaus.org since a few years (6af034820)
when obtaining an ‘open resolver’ reason, advise admins to check their /etc/resolv.conf (#2201)
This should be the accepted answer!
it addresses the very problem of the “open resolver” error.
Kudos to @rodinux for also proposing a hook to avoid directly modify postfix’s config files
It hides the problem under a rug and, if queries always return the “open resolver” code, it’s effectively just disabling this antispam strategy entirely…
fair enough, but none of the other suggestions nor changes in recent minor releases work for the majority of users in the multiple open threads on the topic. so what should we do?
As far as I know, the problem was solved for the majority of users in recent minors. The remaining cases are typically people on OVH VPS with IPv6, which Spamhaus also doesnt want to answer DNS queries from, and it’s been discussed in corresponding threads. The other cases remain unknown and should be investigated. But clearly when you have a problem like “I lost the keys for my door”, the proper solution is not “remove the door”…
it’s a matter of priorities, especially when neither the problem nor the solution seem to be very clear as of now. am sure you can appreciate that most people self-hosting emails would rather get a few hypothetical extra spams that see a single important email bounce randomly…
The solution is a) upgrade to the latest version ; b) if you are on an OVH VPS, comment-out the IPv6 lines in /etc/dnsmasq/spamhaus and restart dnsmasq ; c) if this still doesn’t work, we need to further dig the issue to understand what’s up.
If people just blindly apply a workaround instead of investigating, then the root cause of the issue never gets fixed.
With only this configuration and leaving spamhaus’s setting in postfix as default, an email bounces with the following open resolver error in /var/log/mail.log:
2025-12-18T13:07:38.591394+00:00 redacted_servername postfix/smtpd[2084268]: NOQUEUE: reject: RCPT from ``o4.ptr6272.saymine.io``[168.245.7.145]: 554 5.7.1 Service unavailable; Client host [168.245.7.145] blocked using ``zen.spamhaus.org``; Error: open resolver; ``https://check.spamhaus.org/returnc/pub/2001:IPV6/``; from=<bounces+19032465-6192-email+filter=redacted.xyz@em7583.sender.com> to=<email+filter@redacted.xyz> proto=ESMTP helo=<``o4.ptr6272.saymine.io``>
The exact same email successfully lands in my inbox with the following edit to /etc/postfix/main.cf
One thing I’ve noticed that might be relevant: the open resolver error seems to be related to the type of sender. It occurs almost always when the email is an automated message from an online service (email verification, password reset request, …) but does not seem to impact manually sent emails from users, even when hosted on the same server.
# run “resolvectl status” to see details about the actual nameservers. nameserver 127.0.0.1
The OVH DNS is still present in `/etc/resolvconf/resolv.conf.d/original` but I believe `yunohost` does its magic to hide it and update /etc/resolv.conf?
When my YUNOHOST installation stopped resolving any domains (still trying to find the reason), I looked into recursive name servers of my VPS provider, removed the open ones from usr/share/yunohost/conf/dnsmasq/plain/resolv.dnsmasq.conf, added the provider/hoster’s internal ones (not open to public), regenerated dnsmasq with yunohost tools regen-conf dnsmasq --force
resolving started to work again and spamhouse issue dissapeared.
so for those who are running a server in a datacenter and your provider provides an internal non-open recursive name servers limited/exclusive to that datacenter, this is a workaround for the spamhaus “open resolver” issue.
