The IPs of a big German provider were on the spamhaus blacklist for a short time, and apparently our server fetched just at that time and stayed with it for a few days, blocking plenty of legitimate conversation in that time.
I have plowed through config and bin files in hestia and related tools, through the forum and the documentation, but not found proper clarification on how the default blacklists in hestia operate and how to update them and change the update frequency.
I have even checked cronjobs and found nothing.
There is an exim config file, which from what I gathered is only refreshed when exim is restarted, begging the question whether that is done with regularity?
And does it store the cached lists somewhere?
Unfortunately the exim documentation has not yielded me proper results in my searches.
Then there is /usr/local/hestia/install/common/firewall/ipset/blacklist.sh which seems only referenced in few install and upgrade scripts.
I would really appreciate a documentation of the defaults in Firewall | Hestia Control Panel
The changes to dnsbl.conf file are dynamic so there is no need to restart exim to apply the changes.
The lists are not updated/refreshed on your machine, they are external lists consulted by exim using dns requests on every mail you receive. The dns answer is cached by the dns resolver you are using in your system and spamhaus uses a TTL (Time To Live) of 900 seconds (15 minutes).
For example, if the ip 203.0.113.1 is trying to send a mail to your server, exim internally will ask to the block list if the ip is listed, example using spamhaus.
$ dig +short TXT "$(echo '203.0.113.1' | awk -F '.' '{OFS="."; print $4,$3,$2,$1}' | sed 's/$/\.zen\.spamhaus\.org/')"
"Listed by PBL, see https://check.spamhaus.org/query/ip/203.0.113.1"
If it returns nothing, the ip is allowed.
That script is used to populate an ipset (ipset is a framework for storing IP addresses) used by Linux kernel and in this case, for the firewall (iptables). The ipset is populated with different block lists sources. That script and the ipset are neither active nor used by default by Hestia.
I forgot to say that you can execute this script to check if the dns resolver you are using in your machine is accepted by spamhaus, if it isn’t exim could block legitimate mail servers trying to send mails to you:
Thanks for the explanation, the check runs through fine but I found that this might be the exact issue - DNS caching. I realized cloudflare is not compliant, but that seems not to be used.
We have 46.38.225.230 configured and I don’t even know where that came from?