Client host blocked using reject_rhsbl_sender

[jerryboi]

I have a number of blacklists defined and I often see "NOQUE: reject:" messages in maillog.

Code: Select all

$ grep '554.5' /var/log/maillog
Oct 11 09:32:20 mx postfix/smtpd[12419]: NOQUEUE: reject: RCPT from unknown[139.198.1.197]: 554 5.7.1 Service unavailable; Client host [139.198.1.197] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=139.198.1.197; from=<htlywkemvmx@mail2emergency.com> to=<a.user@domain.com> proto=SMTP helo=<78.46.112.235>
Oct 11 10:49:55 mx postfix/smtpd[6257]: NOQUEUE: reject: RCPT from ww1.sndr.com[88.99.238.130]: 554 5.7.1 Service unavailable; Unverified Client host [ww1.sndr.com] blocked using reject_rhsbl_sender; from=<anjuh@sndr.com> to=<user@domain.com> proto=ESMTP helo=<mail.sndr.com.>
$
$ zmprov gacf | grep zimbraMtaRestriction
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_unknown_sender_domain
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client psbl.surriel.com
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rbl_client
zimbraMtaRestriction: reject_rhsbl_client dbl.spamhaus.org
zimbraMtaRestriction: reject_rhsbl_client multi.surbl.org
zimbraMtaRestriction: reject_rhsbl_reverse_client dbl.spamhaus.org
zimbraMtaRestriction: reject_rhsbl_reverse_client
zimbraMtaRestriction: reject_rhsbl_sender multi.surbl.org
zimbraMtaRestriction: reject_rhsbl_sender rhsbl.sorbs.net
zimbraMtaRestriction: reject_rhsbl_sender dbl.spamhaus.org
zimbraMtaRestriction: rbl_override lmdb:/opt/zimbra/conf/rbl_override


As you can see, sometimes the blacklist (surriel) is referenced in the message and sometimes it is just a generic Unverified Client host [ww1.sndr.com] blocked using reject_rhsbl_sender. In the second case how do I investigate the actual reason of the rejection?

[phoenix]

It tells you why it was rejected in the output you've posted: "Listed in PSBL". You can check on their website if it's a valid rejection or try one of the many multi-rbl checkers on the internet. If it's a false positive (that's a problem with a lot of this type of RBLs) then don't use it, it's up to you to keep an eye on what your RBLs are doing and this isn't a Zimbra question or problem.

[jerryboi]

Hi Phoenix,

thanks for looking at this so promptly. You are right it say Listed in PSBL in the first log entry. My question concerns the second log entry where it only says "blocked using reject_rhsbl_sender". Any idea how to investigate that one? I checked the domain (the actual one, not the sanitized 'sndr.com') against all 4 blacklists and it wasn't on them.

[phoenix]

For the second entry the reason would be exactly what it says in the log "Unverified Client host", the 'sender' www1.sndr.com' actually has no IP address associated with it and the IP address that's shown as the sender does not resolve to that name address, hence it's rejected because they can't verify that either one of those items belongs to the other. As I mentioned earlier, if you think the RBL is too aggressive then don't use it as they can be more trouble than they're worth. It's only worth using the minimum number of restrictions and RBLs that satisfy your requirements and no more.