URIBL_BLOCKED: The query to URIBL was blocked

I have often this header line in received emails


Do I have to change something on my end (debian 12.4) so the query won’t be blocked anymore?


Pkte Regelname Beschreibung
    ---- ---------------------- --------------------------------------------------
    -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high
    [ listed in list.dnswl.org]
    0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    for more information.
    [URI: dikav.yachts]
    0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
    -0.0 SPF_PASS SPF: Senderechner entspricht SPF-Datensatz
    0.2 BAYES_999 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 99.9-100%
    [score: 1.0000]
    3.5 BAYES_99 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 99-100%
    [score: 1.0000]
    0.0 HTML_MESSAGE BODY: Nachricht enthlt HTML
    0.0 T_TVD_MIME_EPI BODY: No description available.
    0.0 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of words
    0.0 DMARC_MISSING Missing DMARC policy

In my opinion, installing and using your own DNS resolver would be the best approach… most of public dns resolvers will be rejected to use uribl.


1 Like

Ok, let’s say I want to try using unbound as DNS resolver on my server.

Would the following steps be ‘the correct implementation’?

Deactivate and remove bind9:
# systemctl stop bind9.service
# nano /usr/local/hestia/conf/hestia.conf
DNS_SYSTEM='bind9' to
# apt remove bind9 bind9-utils

# apt install unbound

Change resolv.conf to:
# cat /etc/resolv.conf

Edit the unbound.conf to something like this:

# Unbound configuration file for Debian.
# See the unbound.conf(5) man page.
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"

      # the working directory.
      directory: "/etc/unbound"

      # If no logfile is specified, syslog is used
      # logfile: "/var/log/unbound/unbound.log"

      # run as the unbound user
      username: unbound

      # verbosity: 2      # uncomment and increase to get more logging.

      # listen on all interfaces, answer queries from the local subnet.
      # comment out the following line if your system doesn't have IPv6.
      # interface: ::0

       # disable IPv6
       do-ip6: no

      # perform prefetching of almost expired DNS cache entries.
      prefetch: yes

      access-control: allow

      # hide server info from clients
      hide-identity: yes
      hide-version: yes

      # Enable remote control with unbound-control(8) here.
      control-enable: no

      # what interfaces are listened to for remote control.
      # give and ::0 to listen to all interfaces.
      # set to an absolute path to use a unix local name pipe, certificates
      # are not used for that, so key and cert files need not be present.
      # control-interface: ::1

      # port number for remote control operations.
      control-port: 8953

Restart unbound systemctl restart unbound or do a server reboot.

Did I miss something? :thinking:

If you already installed bind9 with Hestia, there is no need to remove it and install unbound, you can just use bind9 as your dns resolver. Also, if you remove bind9 you won’t be able to add dns records to your domains (don’t know whether you are using it for this purpose).

Yes you should modify that file with that conf but keep in mind that it could be overwritten by your system if you are using systemd-resolved… so you should do more steps to change the nameserver to be used. Take a look to this post: Not receiving emails in roundcube - #16 by sahsanu

If you prefer to install unbound and you will use bind9 too, you can configure unbound to listen on address and add nameserver to your resolv.conf file so there isn’t need to remove bind9. You should add this directive listen-on port 53 {; }; to /etc/bind/named.conf.options so bind will listen only on

1 Like

I’m using a KVM server (all the DNS entries I’ve set at the dashboard of my ISP) - is there a need to still have bind9 installed? (when using unbound)

If you are not serving DNS records for your domains from Hestia then there is no need to keep bind installed. Just in case, instead of removing it, just disable and stop the service and if all works as expected then remove it.

1 Like