Skip to content

[BUG] Spamassassin no longer working due to spamhaus policy change #2918

Closed as not planned
Closed as not planned
[BUG] Spamassassin no longer working due to spamhaus policy change#2918
Labels
area/configuration (file)meta/closed due to age or inactivityThis issue / PR has been closed due to inactivitymeta/help wantedThe OP requests help from others - chime in! :Dmeta/staleThis issue / PR has become stale and will be closed if there is no further activityservice/security/spamassassin
@tve

Description

@tve
tve
opened on Dec 1, 2022

Miscellaneous first checks

  • I checked that all ports are open and not blocked by my ISP / hosting provider.
  • I know that SSL errors are likely the result of a wrong setup on the user side and not caused by DMS itself. I'm confident my setup is correct.

Affected Component(s)

spamassassin queries to spamhaus

What happened and when does this occur?

Queries to the spamhaus blocking lists are intermittently failing. The result is log entries of the form:

Dec  1 08:22:29 mail postfix/smtpd[224054]: NOQUEUE: reject: RCPT from o8.email.nextdoor.com[167.89.48.102]: 554 5.7.1 Service unavailable; Client host [167.89.48.102] blocked using zen.spamhaus.org; Error: open resolver; https://www.spamhaus.org/returnc/pub/35.80.40.194; from=<bounces+1740987-5fc4-xxx=[email protected]> to=<[email protected]> proto=ESMTP helo=<o8.email.nextdoor.com>

Dec  1 08:29:53 mail postfix/smtpd[225785]: NOQUEUE: reject: RCPT from s4.csa2.acemsa1.com[52.128.40.9]: 554 5.7.1 Service unavailable; Client host [52.128.40.9] blocked using zen.spamhaus.org; from=<bounce-2252638-609-18526-xxx=[email protected]> to=<[email protected]> proto=ESMTP helo=<s4.csa2.acemsa1.com>

What did you expect to happen?

I expected the queries to spamhaus to work.

How do we replicate the issue?

My DMS container is running in AWS and uses the AWS DNS resolvers. Clicking through the link in the the first error message above eventually gets to https://www.spamhaus.com/resource-center/successfully-accessing-spamhauss-free-block-lists-using-a-public-dns/
From that page I gather that my DMS is being blocked because (a) it uses a public DNS resolver and (b) it runs in a cloud hosting environment.
I assume that the issue can be replicated by setting up DMS with 8.8.8.8 as DNS resolver.

DMS version

V11.2.0

What operating system is DMS running on?

Linux

Which operating system version?

Ubuntu 22.04

What instruction set architecture is DMS running on?

x86_64 / AMD64

What container orchestration tool are you using?

Docker

docker-compose.yml

version: '2'

services:
  mail:
    image: docker.io/mailserver/docker-mailserver:latest
    # build: .
    hostname: mail
    domainname: voneicken.com
    container_name: mail
    cap_add:
      - NET_ADMIN
    restart: always
    stop_grace_period: 1m
    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
      retries: 0
    ports:
    - "25:25" # SMTP w/STARTTLS
    - "465:465" # ESMTP w/TLS
    - "587:587" # ESMTP w/STARTTLS
    - "172.22.154.1:993:993" # IMAP w/TLS
    - "172.22.154.1:4190:4190" # SIEVE
    #- "143:143" # IMAP w/out TLS or STARTTLS
    volumes:
    - /home/mail:/var/mail
    - /home/mail-state:/var/mail-state
    - /home/mail-state/letsencrypt/etc:/etc/letsencrypt
    - ./config/:/tmp/docker-mailserver/
    - /var/log/mail:/var/log/mail
    - /etc/localtime:/etc/localtime:ro
    environment:
    - ENABLE_CLAMAV=1
    - ENABLE_SPAMASSASSIN=1
    - ENABLE_FAIL2BAN=1
    - ENABLE_MANAGESIEVE=1
    - ENABLE_SASLAUTHD=0
    - ENABLE_QUOTAS=0
    - POSTFIX_MESSAGE_SIZE_LIMIT=40000000
    - SSL_TYPE=letsencrypt
    - RELAY_HOST=email-smtp.us-east-1.amazonaws.com
    - RELAY_PORT=587
    - RELAY_USER=...
    - RELAY_PASSWORD=...
    - ONE_DIR=1
    - [email protected]
    - REPORT_INTERVAL=weekly

Relevant log output

No response

Other relevant information

The solution offered by spamhaus is to sign up for a free account, which I'm doing, but using that account requires a plugin to spamassassin and presumably some configuration of that plugin.
It seems to me that I must not be the only user of DMS that is experiencing the issue, however, so far I've noticed that it is intermittent, i.e., spamhaus is not blocking all the queries, only some fraction, so emails continue to come through, they're just often delayed by minutes until the sending MTA retries.

What level of experience do you have with Docker and mail servers?

  • I am inexperienced with docker
  • I am rather experienced with docker
  • I am inexperienced with mail servers
  • I am rather experienced with mail servers
  • I am uncomfortable with the CLI
  • I am rather comfortable with the CLI

Code of conduct

Improvements to this form?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/configuration (file)meta/closed due to age or inactivityThis issue / PR has been closed due to inactivitymeta/help wantedThe OP requests help from others - chime in! :Dmeta/staleThis issue / PR has become stale and will be closed if there is no further activityservice/security/spamassassin

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions