PMG Strange "dns_block_rule" log entries in mail.log

[balutojas]

Hello forum members!

I'm reaching out to you with an issue that I noticed a few weeks ago in the /var/log/mail.log on our Proxmox Mail Gateway 8.1.6 server:

2025-04-16T15:03:12.142375+02:00 mailgw pmg-smtp-filter[197971]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny bl.score.senderscore.com" to disable queries)

2025-04-16T15:08:20.533740+02:00 mailgw pmg-smtp-filter[197971]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries)

2025-04-16T15:08:20.534082+02:00 mailgw pmg-smtp-filter[197971]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-accredit.habeas.com" to disable queries)

2025-04-16T15:08:20.534229+02:00 mailgw pmg-smtp-filter[197971]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny bl.score.senderscore.com" to disable queries)

2025-04-16T15:13:43.522687+02:00 mailgw pmg-smtp-filter[198347]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries)

2025-04-16T15:13:43.522999+02:00 mailgw pmg-smtp-filter[198286]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries)

2025-04-16T15:13:43.523230+02:00 mailgw pmg-smtp-filter[198286]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-accredit.habeas.com" to disable queries)

2025-04-16T15:13:43.523392+02:00 mailgw pmg-smtp-filter[198286]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny bl.score.senderscore.com" to disable queries)

2025-04-16T15:19:01.689710+02:00 mailgw pmg-smtp-filter[198415]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries)

2025-04-16T15:19:01.689900+02:00 mailgw pmg-smtp-filter[198415]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-accredit.habeas.com" to disable queries)

2025-04-16T15:19:01.689955+02:00 mailgw pmg-smtp-filter[198415]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny bl.score.senderscore.com" to disable queries)

2025-04-16T15:24:03.212991+02:00 mailgw pmg-smtp-filter[198705]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries)

2025-04-16T15:24:03.213212+02:00 mailgw pmg-smtp-filter[198705]: WARNING: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-accredit.habeas.com" to disable queries)

Hundreds of these log entries appear every day.
After looking into the problem, I initially suspected our locally installed DNS server, but it seems to be working fine. I followed this guide for the setup:
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway

DNSBL filtering is handled by SpamAssassin using a /etc/mail/spamassassin/custom-dnsbl.cf file:

header DNSBL_SPAMHAUS eval:check_rbl('spamhaus', 'zen.spamhaus.org.')

describe DNSBL_SPAMHAUS sender listed in zen.spamhaus.org

score DNSBL_SPAMHAUS 2



header DNSBL_UCEPROTECT1 eval:check_rbl('uceprotect1', 'dnsbl-1.uceprotect.net.')

describe DNSBL_UCEPROTECT1 sender listed in dnsbl-1.uceprotect.net

score DNSBL_UCEPROTECT1 2



header DNSBL_SURRIEL eval:check_rbl('surriel', 'psbl.surriel.com.')

describe DNSBL_SURRIEL sender listed in psbl.surriel.com

score DNSBL_SURRIEL 2



header DNSBL_SPAMRATS eval:check_rbl('spamrats', 'all.spamrats.com.')

describe DNSBL_SPAMRATS sender listed in all.spamrats.com

score DNSBL_SPAMRATS 2

The DNSBL list field in the web GUI is empty:



Since I don't know which DNSBL list is causing the issue, I tried disabling the checks in the custom-dnsbl.cf file one by one. Eventually, I commented out the entire content of the file. Even after restarting the entire server, the error messages in mail.log persist.

Where could this error be coming from? What could be the solution?
If you need more information or configuration files, feel free to ask and I’ll gladly share the details

 

[balutojas]

Can't anyone help with this?

 

[Cristian Seres]

I also seem to see hundreds of RCVD_IN_VALIDITY_CERTIFIED_BLOCKED lines in journalctl -u pmg-smtp-filter on Proxmox Mail Gateway 8.2.0. I am using a local nameserver on PMG.

 

[Kisuke]

Hello,

from my knowledge of testing PMG so far, it seems it is using some SA rules which is querying public blacklist for reputation. This error indicates, your public IP (of your DNS you are using) was blocked by that certain blacklist.

For example SPAMHAUS: https://www.spamhaus.org/faqs/dnsbl-usage/
Diagnostic can bee quite simple. Try to run this on your PMG:

dig 8.8.8.8.zen.spamhaus.org +short

If you get some response like 127.255.255.* your DNS is prohibited to query SPAMHAUS.

Same applies for other lists PMG is using (error codes may differ).

 

[Patmo.de]

Check your Spamassasin settings. Validity is a provider for checks similar to Spamhaus, though it is mostly used with Spamassasin.

Have a look at this: https://forum.proxmox.com/threads/h...bl-lookups-in-spamassassin.165886/post-769274

 

[ChFin]

VALIDITY grants you 10,000 anonymous queries per rolling month. If you exceed this limit, you will see this message.

The most common reason for receiving this message is that your system is not using a local DNS resolver. Even if you have configured your own resolver, issues can still occur if your reverse DNS records do not allow for clear attribution. In this context, your reverse DNS entries must unambiguously identify your organization. According to the fair use policy of most providers, users are not permitted to make queries through DNS resolvers that lack attributable reverse DNS records.

To avoid this issue, ensure that you are using your own local DNS resolver (not a forwarder), and that both your IPv4 and IPv6 reverse DNS records resolve to a hostname that clearly identifies your organization, rather than a generic provider hostname such as static.123.45.67.89.provider.com.

=> Make sure that your DNS resolver (not forwarder) has attributable DNS or block queries to VALIDITY
=> If you still exceed the query limit and do not wish to purchase additional query blocks from VALIDITY, you may encounter restrictions on further queries.
=> Check /root/.spamassasin/ for dnsblock_<...> entries

PS: The same applies to Spamhaus.

EDIT:
https://www.spamresource.com/2023/12/validity-to-restrict-access-to.html
https://www.spamhaus.org/resource-hub/email-security/query-the-legacy-dnsbls-via-hetzner/