Skip to content

[BUG] DNSBL error response handling is incorrect #2889

Closed
#2890
Closed
[BUG] DNSBL error response handling is incorrect#2889
#2890
Assignees
georglauterbach
Labels
priority/highpriority/mediumservice/postfix
Milestone
v11.3.0
@rmvh

Description

@rmvh
rmvh
opened on Nov 4, 2022

Miscellaneous first checks

  • I checked that all ports are open and not blocked by my ISP / hosting provider.
  • I know that SSL errors are likely the result of a wrong setup on the user side and not caused by DMS itself. I'm confident my setup is correct.

Affected Component(s)

Mail can no longer be received

What happened and when does this occur?

Spamhaus recently changed how they deal with AWS and its DNS servers (see https://www.spamhaus.com/resource-center/if-you-query-spamhaus-projects-dnsbls-via-amazon-web-services-dns-move-to-the-free-data-query-service/).

In effect, every DNSBL request made by DMS on our AWS EC2 instance (and I suppose every existing EC2 instance) got the following response:

Oct 30 14:13:29 mail postfix/smtpd[14922]: NOQUEUE: reject: RCPT from mail-lj1-f182.google.com[209.85.208.182]: 554 5.7.1 Service unavailable; Client host [209.85.208.182] blocked using zen.spamhaus.org; Error: 
open resolver; https://www.spamhaus.org/returnc/pub/obfuscated; from=<[email protected]> to=<obfuscated@obfuscated> proto=ESMTP helo=<mail-lj1-f182.google.com>

The response from DNSBL is 127.255.255.254 (see their blog post) with a resulting 554 error code. 
Unfortunately, the result is that every single incoming mail is blocked, which of course was only noticed after a couple of days of missed emails.

According to Spamhaus, DNSBL should be configured in such a way that it deals correctly with error codes (see also https://www.spamhaus.org/news/article/788/spamhaus-dnsbl-return-codes-technical-update). In their words:

"Some users continue to query Spamhaus blocklists via public resolvers, unaware that this means that our data does not actually protect their mail stream. We have introduced an error code for these users to provide a clear signal that there is an issue, and that the mailserver configuration needs to be updated."

What did you expect to happen?

DMS should handle Spamhaus' "new" error codes correctly and only block mail if the sender is actually on a list, and never block mails because of a configuration error.

How do we replicate the issue?

1. Spin up a AWS EC2
2. Set ENABLE_DNSBL to 1
3. Try to receive any mail
...

DMS version

v11.2.0

What operating system is DMS running on?

Linux

Which operating system version?

Debian 10 (buster)

What instruction set architecture is DMS running on?

x86_64 / AMD64

What container orchestration tool are you using?

Docker Compose

docker-compose.yml

mail:
    image: docker.io/mailserver/docker-mailserver:latest
    # If the FQDN for your mail-server is only two labels (eg: example.com),
    # you can assign this entirely to `hostname` and remove `domainname`.
    hostname: mail
    domainname: obfuscated.com
    container_name: mail
    # More information about the mail-server ports:
    # https://docker-mailserver.github.io/docker-mailserver/edge/config/security/understanding-the-ports/
    # To avoid conflicts with yaml base-60 float, DO NOT remove the quotation marks.
    ports:
      - "25:25"    # SMTP  (explicit TLS => STARTTLS)
      - "143:143"  # IMAP4 (explicit TLS => STARTTLS)
      - "465:465"  # ESMTP (implicit TLS)
      - "587:587"  # ESMTP (explicit TLS => STARTTLS)
      - "993:993"  # IMAP4 (implicit TLS)
    environment:
      LETSENCRYPT_HOST: mail.obfuscated.com
      LETSENCRYPT_RESTART_CONTAINER: "true"
      VIRTUAL_HOST: mail.obfuscated.com
      SSL_TYPE: manual
      SSL_CERT_PATH: /etc/letsencrypt/mail.obfuscated.com.crt
      SSL_KEY_PATH: /etc/letsencrypt/mail.obfuscated.com.key
    volumes:
      - maildata:/var/mail
      - mailstate:/var/mail-state
      - maillogs:/var/log/mail
      - mail-config:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro
      - ssl:/etc/letsencrypt:ro
    restart: unless-stopped
    stop_grace_period: 1m
    env_file:
      - ./mail/.env
      - ./mail/mailserver.env
    cap_add:
      - NET_ADMIN
      - SYS_PTRACE
    logging:
      options:
        max-size: "250m"
        max-file: "3"

Relevant log output

Oct 30 14:13:29 mail postfix/smtpd[14922]: NOQUEUE: reject: RCPT from mail-lj1-f182.google.com[209.85.208.182]: 554 5.7.1 Service unavailable; Client host [209.85.208.182] blocked using zen.spamhaus.org; Error: 
open resolver; https://www.spamhaus.org/returnc/pub/obfuscated; from=<[email protected]> to=<obfuscated@obfuscated> proto=ESMTP helo=<mail-lj1-f182.google.com>

Other relevant information

No response

What level of experience do you have with Docker and mail servers?

  • I am inexperienced with docker
  • I am inexperienced with mail servers
  • I am uncomfortable with the CLI

Code of conduct

Improvements to this form?

"What level of experience do you have with Docker and mail servers?" offers only answers in the negative form. I don't mind indicating that I have experience and am comfortable with the CLI, but I do not have that option. You can only guess why I didn't click the negative options if you do not give me the positive options.

Metadata

Metadata

Assignees

Labels

priority/highpriority/mediumservice/postfix

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions