Unable to receive mail / Openresolver

eris · February 27, 2025, 9:19am

When receiving an email the follow log is created:

50 5.7.350 Remote server returned message detected as spam → 550 Rejected because xx.xxx.xxx.xx is in a black list at zen.spamhaus.org;Error: open resolver; https://check.spamhaus.org/returnc/pub/xxx.xxx.x.xxx./

It seems that Spamhaus has recently include Hetzner ips in their “open resolver” list to solve the issue

Use different name servers
Or request for a DQS key see for more information: Email and mail server | Hestia Control Panel

eris · February 27, 2025, 9:31am

To verify your server is affected run the following command:

curl -sSL https://7j.gg/chksph2 | bash -s --

Written by @sahsanu

T4B · February 27, 2025, 1:21pm

hey the /etc/exim4/dnsbl.conf and /etc/exim4/exim4.conf.template dont change with new updates right ?

eris · February 27, 2025, 1:25pm

Both files won’t change during updates (except when you you update to a newer OS Ubuntu Focal → Jammy → Noble for example)

nu01 · February 27, 2025, 3:20pm

FYI, not just Hetzner, they have blocked loads of Netcup ones as well. Netcup has been having loads of sales and all, and they are real good and cheap, so another of that is getting blocked.

# curl -sSL https://7j.gg/chksph2 | bash -s xxx.xxx.xxx.xxx
Test 01: Error: open resolver; https://check.spamhaus.org/returnc/pub/xxx.xxx.xxx.xxx/
Result is bad, Spamhaus is blocking/ignoring the DNS Resolver xxx.xxx.xxx.xxx

I had to use from 76.x.x.x ones @sahsanu gave.

Wibol · February 27, 2025, 4:20pm

My Hetzner VPS can send mail without any problem, but does not receive it when I get a reply. Is this the same problem or is it something else?

I don’t receive the confirmation email from FREE Data Query Service Account either.

nu01 · February 27, 2025, 4:53pm

Check this thread.

Also, ensure your dmarc, dkim, spf, mx, etc., are set correctly.

You can use the tools here to cross confirm your prerogative setups: DNS & IP Tools, Developer & Webmaster Tools, Productivity Tools, SEO Tools

dpeca · February 27, 2025, 10:30pm

Looks like they announced this on January 08 - Email Security | Query our DNSBLs via Hetzner's infrastructure? Move to free Data Query Service | Resources

Wibol · February 28, 2025, 9:56am

After reading all the sparsely detailed threads on the subject, these are the three possible solutions I have compiled to the problem of receiving mail due to Spamhaus blocking Hetzner resolvers, from least to most convenient. You can check if we are affected with:
# curl -sSL https://7j.gg/chksph2 | bash -s --

Remove Spamhaus anti-spam protection:

# nano /etc/exim4/dnsbl.conf

bl.spamcop.net
#zen.spamhaus.org

# systemctl restart exim4

Changing the resolvers used by the machine where HestiaCP is running to those of ‘Control D’:

# nano /etc/resolv.conf

nameserver 76.76.2.0
nameserver 76.76.10.0
#nameserver 185.12.64.2
#nameserver 185.12.64.1

Obtain a free key from Spamhaus:

We must first apply one of the above solutions to enable receipt of the verification email that Spamhaus will send us.

Go to Spamhaus free data query account
Fill in the form and verify your email address by via the link in the email you recive.
Once logged, go to Products → DQS and you will see your Query Key and below you will see the exactly fqdn that you will need to use Zen Spamhaus black list. Something like: HereYourQueryKey.zen.dq.spamhaus.net
Edit /etc/exim4/dnsbl.conf and replace zen.spamhaus.org with HereYourQueryKey.zen.dq.spamhaus.net

# nano /etc/exim4/dnsbl.conf

bl.spamcop.net
HereYourQueryKey.zen.dq.spamhaus.net

Also edit /etc/exim4/exim4.conf.template on the line: ‘deny message = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text’ to ‘deny message = Rejected because $sender_host_address is in a black list’ to prevent your Query key from leaking

# nano /etc/exim4/exim4.conf.template

Restart exim4
# systemctl restart exim4

I hope it will be useful to users who, like me, have less knowledge.

Translated with DeepL.com (free version)

nu01 · February 28, 2025, 1:07pm

Trouble with that data query account is, they need your real name, mobile/contact number and all sorts. Even though this company is based out of UK, they use amazon services and to give spamhaus my data (unlike registrar), I am not willing to get their free service anyways.

That is just me.

eris · February 28, 2025, 1:12pm

Then disable it:

nano /etc/exim4/dnsbl.conf
and remove the zen.spamhaus.org

nu01 · February 28, 2025, 1:13pm

But then what service should I use in lieu of spamhaus?

Any suggestions please?

sahsanu · February 28, 2025, 2:24pm

If you have not deleted it, you should still be using spamcop.

Here are some alternatives to Spamhaus:

Barracuda Reputation Block List (BRBL)
URL: https://www.barracudacentral.org/

SpamCop Blocking List (SCBL)
URL: SpamCop.net - Blocking List ( bl.spamcop.net )

UCEPROTECT DNSBL
URL: https://www.uceprotect.net/

PSBL (Passive Spam Block List)
URL: http://psbl.org/

SpamRATS
URL: https://www.spamrats.com/

0spam.org DNSBL
URL: https://www.0spam.org/

nu01 · February 28, 2025, 2:25pm

Thanks. If I add the others, while keeping just the zen (not dbl), will it cause more issues? Sorry, just learning this after facing my personal issues since 2 week.

sahsanu · February 28, 2025, 2:46pm

I don’t understand this, zen.spamhaus.org is a DNSBL. If it doesn’t work for you why you would keep using it?

nu01 · February 28, 2025, 2:49pm

No no. Since you mentioned I should keep it (if not yet removed), so I wanted to understand. As I said. i am new in this kind of topic. So before doing anything, just wanted to clarify with you.

linkp · February 28, 2025, 4:30pm

This service has (somewhat recently) ceased operations.