Problem Description
I’ve started seeing mails being rejected by my Sympl host when using a public DNS provider. The immediate cause is that Spamhaus use addresses in 127.255.255.0/24 as error codes, but Sympl’s exim configuration regards any response as being that the address is in the blocked list.
Any Error Messages
2024-05-05 01:02:18 H=mail-yw1-f193.google.com [209.85.128.193] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no SNI=<redacted> F=<redacted> rejected RCPT <redacted>: IP blacklisted at zen.spamhaus.org.
(mail-yw1-f193.google.com [209.85.128.193]
is definitely not in the list at Spamhaus!)
Solution
A proper solution is to fix my DNS settings so I don’t get Spamhaus errors, but in the case that anything does go wrong, Sympl should not interpret 127.255.255.0/24 responses as being in the block list. The exim configuration manual actually has this scenario in there - the last example in section 18.7 of 44. Access control lists is:
deny dnslists = zen.spamhaus.org!&0.255.255.0
This !&0.255.255.0
should probably be added to all the dnslists
entries in /etc/exim4/sympl.d/10-acl/50-acl-check-rcpt/75-dns-blacklists
Environment
- Sympl Version [9.0/10.0]: 11
- Sympl Testing Version? [Yes/No]: No
- Debian Version [Buster/Stretch]: Bullseye
- Hardware Type? [Dedicated/Virtual/Pi]: Virtual
- Hosted On? [name of hosting co]: DigitalOcean
Spamhaus refuses to work with public/open resolvers, here’s their help page, scroll down a bit:
https://check.spamhaus.org/returnc/pub/10.10.0.0/
If you go to their FAQ FAQs | How you can use the free Spamhaus Blocklists and click on ‘For Postmasters’, there are a series of tests you can do under ‘How do I check mty DNS server results’. They suggest that you use ‘dig’ but this doesn’t seem to return NXDOMAIN. Here’s a sample nslookup session using my local caching server first.
~$ nslookup
> 2.0.0.127.zen.spamhaus.org
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: 2.0.0.127.zen.spamhaus.org
Address: 127.0.0.10
Name: 2.0.0.127.zen.spamhaus.org
Address: 127.0.0.4
Name: 2.0.0.127.zen.spamhaus.org
Address: 127.0.0.2
> 1.0.0.127.zen.spamhaus.org
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find 1.0.0.127.zen.spamhaus.org: NXDOMAIN
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> 2.0.0.127.zen.spamhaus.org
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find 2.0.0.127.zen.spamhaus.org: NXDOMAIN
> 1.0.0.127.zen.spamhaus.org
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find 1.0.0.127.zen.spamhaus.org: NXDOMAIN
> ^D
Sure, but when they return an error rather than NXDOMAIN, the Sympl exim config regards that as a hit, so blocks the email. There’s work I can do to get real responses from Spamhaus, but Sympl shouldn’t block emails based on an error.
So perhaps dnslists should be:
dnslists = zen.spamhaus.org/127.0.0.2,127.0.0.4,127.0.0.10
and any other list should just have 127.0.0.2.
I’m using similar syntax to check the dbl list and that works.
Just to correct what I said earlier, the full error listing (as far as I can tell) is
dnslists = zen.spamhaus.org/127.0.0.2,127.0.0.3,127.0.0.4,127.0.0.9,127.0.0.10,127.0.0.11
Agreed, I’ll log an issue and see if I can get this fixed.
Adding the !&0.255.255.0
should then ignore any ‘error’ codes.
I’ve created sympl-mail: error codes returned by SpamHaus result in mails being blocked. (#353) · Issues · sympl.io / Sympl · GitLab to track it, but it should be an easy fix to just ignore errors.
We don’t really need to filter on specific results, as we’re not reporting on which lists things were added to, so as long as we ignore the 127.255.255.0/24 responses, we should be fine.
1 Like