As you can see, sometimes the blacklist (surriel) is referenced in the message and sometimes it is just a generic Unverified Client host [ww1.sndr.com] blocked using reject_rhsbl_sender. In the second case how do I investigate the actual reason of the rejection?
It tells you why it was rejected in the output you've posted: "Listed in PSBL". You can check on their website if it's a valid rejection or try one of the many multi-rbl checkers on the internet. If it's a false positive (that's a problem with a lot of this type of RBLs) then don't use it, it's up to you to keep an eye on what your RBLs are doing and this isn't a Zimbra question or problem.
thanks for looking at this so promptly. You are right it say Listed in PSBL in the first log entry. My question concerns the second log entry where it only says "blocked using reject_rhsbl_sender". Any idea how to investigate that one? I checked the domain (the actual one, not the sanitized 'sndr.com') against all 4 blacklists and it wasn't on them.
For the second entry the reason would be exactly what it says in the log "Unverified Client host", the 'sender' www1.sndr.com' actually has no IP address associated with it and the IP address that's shown as the sender does not resolve to that name address, hence it's rejected because they can't verify that either one of those items belongs to the other. As I mentioned earlier, if you think the RBL is too aggressive then don't use it as they can be more trouble than they're worth. It's only worth using the minimum number of restrictions and RBLs that satisfy your requirements and no more.