Struggles with understanding the default email blocklist configuration

The IPs of a big German provider were on the spamhaus blacklist for a short time, and apparently our server fetched just at that time and stayed with it for a few days, blocking plenty of legitimate conversation in that time.

I have plowed through config and bin files in hestia and related tools, through the forum and the documentation, but not found proper clarification on how the default blacklists in hestia operate and how to update them and change the update frequency.
I have even checked cronjobs and found nothing.

There is an exim config file, which from what I gathered is only refreshed when exim is restarted, begging the question whether that is done with regularity?
And does it store the cached lists somewhere?
Unfortunately the exim documentation has not yielded me proper results in my searches.

$ cat /etc/exim4/dnsbl.conf

Then there is /usr/local/hestia/install/common/firewall/ipset/ which seems only referenced in few install and upgrade scripts.
I would really appreciate a documentation of the defaults in Firewall | Hestia Control Panel

The changes to dnsbl.conf file are dynamic so there is no need to restart exim to apply the changes.

The lists are not updated/refreshed on your machine, they are external lists consulted by exim using dns requests on every mail you receive. The dns answer is cached by the dns resolver you are using in your system and spamhaus uses a TTL (Time To Live) of 900 seconds (15 minutes).

For example, if the ip is trying to send a mail to your server, exim internally will ask to the block list if the ip is listed, example using spamhaus.

$ dig +short TXT "$(echo '' | awk -F '.' '{OFS="."; print $4,$3,$2,$1}' | sed 's/$/\.zen\.spamhaus\.org/')"
"Listed by PBL, see"

If it returns nothing, the ip is allowed.

That script is used to populate an ipset (ipset is a framework for storing IP addresses) used by Linux kernel and in this case, for the firewall (iptables). The ipset is populated with different block lists sources. That script and the ipset are neither active nor used by default by Hestia.

1 Like

I forgot to say that you can execute this script to check if the dns resolver you are using in your machine is accepted by spamhaus, if it isn’t exim could block legitimate mail servers trying to send mails to you:

curl -sSL | bash -s -- -d
1 Like

Thanks for the explanation, the check runs through fine but I found that this might be the exact issue - DNS caching. I realized cloudflare is not compliant, but that seems not to be used.
We have configured and I don’t even know where that came from?

Seems that is the dns resolver provided by your hosting company (netcup)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.