noreply-dmarc-support@google.com rejected

[Kodey]

2024-03-27T02:45:49.051967+10:00 mail postfix/postscreen[20336]: NOQUEUE: reject: RCPT from [209.85.222.201]:55591: 550 5.7.1 Service unavailable; client [209.85.222.201] blocked using zen.spamhaus.org; from=<noreply-dmarc-support@google.com>, to=<postmaster@redacted>, proto=ESMTP, helo=<mail-qk1-f201.google.com>

Why can't I get the dmarc reports from google?
How can I fix it?

 

[Stoiko Ivanov]

2024-03-27T02:45:49.051967+10:00 mail postfix/postscreen[20336]: NOQUEUE: reject: RCPT from [209.85.222.201]:55591: 550 5.7.1 Service unavailable; client [209.85.222.201] blocked using zen.spamhaus.org; from=<noreply-dmarc-support@google.com>, to=<postmaster@redacted>, proto=ESMTP, helo=<mail-qk1-f201.google.com>

This message tells you that the mail was rejected because the sending IP is listed on zen.spamhaus.com.
The IP belongs to Google according to whois information - so it probably is a legitimate mail.
The IP is currently not listed at spamhaus - so the next report should be accepted (or at least not rejected due to this.

IPs being blocklisted - even legitimate ones happens - and it usually is fixed after a short while.

I hope this helps!

 

[Kodey]

Thanks @Stoiko I wasn't sure.
This has been going on for months. None of the reports have been delivered from what looks like a block of google ip addresses.
Seems like zen.spamhaus.com isn't a reliable source.
What can I do if I just want to get these reports no matter what zen.spamhaus.com thinks?

 

[Stoiko Ivanov]

This has been going on for months. None of the reports have been delivered from what looks like a block of google ip addresses.

This sounds odd - it can happen that a google IP gets listed here and there - but that's quite the exception...

Seems like zen.spamhaus.com isn't a reliable source.

in my experience it usually is...

which makes me think - maybe it's your DNS-Setup (e.g. we had reports here in the forum, that some firewalls/routers (in that case it was pfsense with unbound in the default config) have issues with DNS-requests for DNSBL sites (because those usually return IPs in the range of 127.0.0.0/8)

if you notice this again - check with another DNS server if the IP is indeed listed (or use a service like mx-toolbox or multrbl.valli.org)

What can I do if I just want to get these reports no matter what zen.spamhaus.com thinks?

to bypass dnsbl lookups in the mailproxy you need to allow the IP in GUI->Configuration->Mail Proxy->Whitelist....

 

[Kodey]

This sounds odd - it can happen that a google IP gets listed here and there - but that's quite the exception...

I don't have trouble getting mail from other sources. Here's a few more with some more details if that helps:

check with another DNS server if the IP is indeed listed (or use a service like mx-toolbox or multrbl.valli.org)

Why would google ips be bl?
It doesn't look good:

to bypass dnsbl lookups in the mailproxy you need to allow the IP in GUI

There are many ips to list and I'd rather not scrape them all out of the gui. I'm not sure how reliable the list would be either.
What I really want is a way to whitelist an email address and skip filtering just for it.

 

[Kodey]

@Stoiko Ivanov, this seems to be a fairly severe problem as hundreds of the legitimate dmarc report emails have been rejected and not one has been accepted. The ip address is always changing so no point in whitelisting those and you can see even a yahoo dmarc report email address blocked above.
When I search for this issue, I find that reports like this have being rejected for years but it's become especially important now as all the big webmail providers are now requiring dmarc and I can't even see their reports to analyse the problem.
It looks like a problem with dnsbl providers which Spamhaus use. Just that one ip address I checked on multirbl is blacklisted on 12 sites and given that this has been going on for months, I don't see it how waiting longer is going to help.
Do you have any other helpful suggestions?

 

[Kodey]

which makes me think - maybe it's your DNS-Setup (e.g. we had reports here in the forum, that some firewalls/routers (in that case it was pfsense with unbound in the default config) have issues with DNS-requests for DNSBL sites (because those usually return IPs in the range of 127.0.0.0/8)

I don't understand what you mean.
After further testing I can see other emails being rejected too.

root@mail:/etc# cat /var/log/mail.log | grep 209.85.166.43
2024-04-01T03:41:18.533515+10:00 mail postfix/postscreen[68002]: CONNECT from [209.85.166.43]:58839 to [192.168.10.153]:25
2024-04-01T03:41:18.596108+10:00 mail postfix/dnsblog[68003]: addr 209.85.166.43 listed by domain zen.spamhaus.org as 127.255.255.254
2024-04-01T03:41:24.596247+10:00 mail postfix/postscreen[68002]: DNSBL rank 1 for [209.85.166.43]:58839
2024-04-01T03:41:25.041584+10:00 mail postfix/tlsproxy[68005]: CONNECT from [209.85.166.43]:58839
2024-04-01T03:41:25.506584+10:00 mail postfix/tlsproxy[68005]: Anonymous TLS connection established from [209.85.166.43]:58839: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
2024-04-01T03:41:26.140002+10:00 mail postfix/postscreen[68002]: NOQUEUE: reject: RCPT from [209.85.166.43]:58839: 550 5.7.1 Service unavailable; client [209.85.166.43] blocked using zen.spamhaus.org; from=<redacted@gmail.com>, to=<postmaster@redacted>, proto=ESMTP, helo=<mail-io1-f43.google.com>
2024-04-01T03:41:26.352055+10:00 mail postfix/tlsproxy[68005]: DISCONNECT [209.85.166.43]:58839
2024-04-01T03:41:26.352124+10:00 mail postfix/postscreen[68002]: DISCONNECT [209.85.166.43]:58839
root@mail:/etc# nslookup 209.85.166.43
43.166.85.209.in-addr.arpa      name = mail-io1-f43.google.com.

Authoritative answers can be found from:

root@mail:/etc#

Maybe my mail server is incorrectly configured.
If I read this correctly...

addr 209.85.166.43 listed by domain zen.spamhaus.org as 127.255.255.254
DNSBL rank 1 for [209.85.166.43]

spamhaus reputation checker says 209.85.166.43 has no issues so that means you might be right, though I don't understand the problem so I don't know where to look next.
Please help

 

[Kodey]

Oh joy!
https://www.spamhaus.org/resource-h...4-query-via-public-open-resolver-generic-rdns

 

[Kodey]

Do I need to add this to my pmg setup?
https://github.com/spamhaus/spamassassin-dqs
Perhaps this could be automated like letsencrypt for pmg

 

[Kodey]

After changing the pmg dns to the router which forwards requests directly to the isps dns and changing the transport relay for this domain to dovecots static ip address, mails started trickling through but it still intermittently gets 127.255.255.254 responses from spamhaus unlike the internal unbound instance which forwarded requests onto:

    # Cloudflare DNS
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

It always rejected emails. Now emails are rejected and so far eventually arrive when the mta retries delivery and spamhaus finally succeeds.
I'm still waiting from my rDNS to propogate to spamhaus I guess while I try to figure out if an "attributable reverse DNS" is all that's required or even exactly what is meant.

This is obviously a temporary/stopgap solution because spamhaus intend to deny all requests that don't use their dqs eventually.
So I really need some advice on dqs in relation to pmg because the pmg documentation is devoid of information about it.
A best practices guide for pmg admins would be awesome @Stoiko Ivanov?