zen.spamhaus.com is blocking all my mails

[krishnadaskk]

Please be inform you that our all incoming emails are blocked by proxmox,we cant able to receive the emails from out side.Please request you advise urgently how to sort out this.

 

[Stoiko Ivanov]

Not sure I understand your request - the ip 192.28.150.228 is listed on zen.spamhaus.com (which is a DNS block list):
* if you're the admin of a mailserver running on 192.28.150.228 - then check your logs - most likely someone is using your system to send out spam from it
* if you have a PMG, which rejects mail from 192.28.150.228, but want to receive mails from them (despite the ip being blacklisted) - add the ip to the mail proxy whitelist (GUI -> Configuration -> Mail Proxy -> Whitelist)

I hope this helps!

 

[krishnadaskk]

Not sure I understand your request - the ip 192.28.150.228 is listed on zen.spamhaus.com (which is a DNS block list):
* if you're the admin of a mailserver running on 192.28.150.228 - then check your logs - most likely someone is using your system to send out spam from it
* if you have a PMG, which rejects mail from 192.28.150.228, but want to receive mails from them (despite the ip being blacklisted) - add the ip to the mail proxy whitelist (GUI -> Configuration -> Mail Proxy -> Whitelist)

I hope this helps!

E-mail from all domains are showing same rejection message..

 

[tom]

Seems your installation have an issue, you block IPs which are not listed on the blacklists. What did you change recently?

=> Disable RBL rejects, does this help?

Which version do you run exactly?

 

[Stoiko Ivanov]

E-mail from all domains are showing same rejection message..

are all the ips the emails come from listed on zen.spamhaus.org?
(you can check ips online at sites like: http://multirbl.valli.org/ or http://www.anti-abuse.org/multi-rbl-check/)

I hope this helps!

 

[krishnadaskk]

Seems your installation have an issue, you block IPs which are not listed on the blacklists. What did you change recently?

=> Disable RBL rejects, does this help?

Which version do you run exactly?

=> Disable RBL rejects, does this help?Yes..but same.

Which version do you run exactly?6.1

 

[krishnadaskk]

are all the ips the emails come from listed on zen.spamhaus.org?
(you can check ips online at sites like: http://multirbl.valli.org/ or http://www.anti-abuse.org/multi-rbl-check/)

I hope this helps!

are all the ips the emails come from listed on zen.spamhaus.org? --not listed in spamhaus

 

[Stoiko Ivanov]

please share some more logs - (/var/log/mail.log) - anonymize what's necessary

 

[krishnadaskk]

please share some more logs - (/var/log/mail.log) - anonymize what's necessary

Mar 18 20:48:17 pmg pmg-smtp-filter[984]: starting database maintainance
Mar 18 20:48:17 pmg pmg-smtp-filter[984]: end database maintainance (5 ms)
Mar 18 20:49:26 pmg postfix/postscreen[1083]: CONNECT from [212.224.123.68]:39034 to [192.168.1.11]:25
Mar 18 20:49:26 pmg postfix/dnsblog[1084]: addr 212.224.123.68 listed by domain zen.spamhaus.org as 37.131.68.29
Mar 18 20:49:32 pmg postfix/postscreen[1083]: DNSBL rank 1 for [212.224.123.68]:39034
Mar 18 20:49:33 pmg postfix/postscreen[1083]: NOQUEUE: reject: RCPT from [212.224.123.68]:39034: 550 5.7.1 Service unavailable; client [212.224.123.68] blocked using zen.spamhaus.org; from=<office@proxmox.com>, to=<krxxxxx@xxxxx.com>, proto=ESMTP, helo=<firstgate.proxmox.com>

 

[Stoiko Ivanov]

addr 212.224.123.68 listed by domain zen.spamhaus.org as 37.131.68.29

this sounds odd - the responses to DNSBL lookups are usually in 127.0.0.0/8 (and not 37.131.68.29)

could you:
* provide your resolv.conf file (`cat /etc/resolv.conf`)
* the output of `ping -c 4 google.com`
* the output of `ping firstgate.proxmox.com` (there will be a timeout - but we'll get what firstgate.proxmox.com resolves to)
* install dnsutils (dig is inside) `apt install dnsutils`
* provide the output of:
** `dig +norec 68.123.224.212.zen.spamhaus.org @c.gns.spamhaus.org.` (maybe also replace 'c' in 'c.gns.spamhaus.org.' with 'a' - 'd')
** `dig 68.123.224.212.zen.spamhaus.org`

thanks!

 

[krishnadaskk]

* provide your resolv.conf file (`cat /etc/resolv.conf`)
search ourdomain.com
nameserver ourdnsip


* the output of `ping -c 4 google.com`
ping -c 4 google.com
PING google.com (216.239.34.117) 56(84) bytes of data.
64 bytes from 216.239.34.117 (216.239.34.117): icmp_seq=1 ttl=56 time=39.2 ms
64 bytes from 216.239.34.117 (216.239.34.117): icmp_seq=2 ttl=56 time=38.6 ms
64 bytes from 216.239.34.117 (216.239.34.117): icmp_seq=3 ttl=56 time=37.9 ms
64 bytes from 216.239.34.117 (216.239.34.117): icmp_seq=4 ttl=56 time=38.5 ms

* the output of `ping firstgate.proxmox.com` (there will be a timeout - but we'll get what firstgate.proxmox.com resolves to)

root@pmg:~# ping firstgate.proxmox.com
PING firstgate.proxmox.com (212.224.123.68) 56(84) bytes of data.

* install dnsutils (dig is inside) `apt install dnsutils`

root@pmg:~# apt install dnsutils
Reading package lists... Done
Building dependency tree
Reading state information... Done
dnsutils is already the newest version (1:9.11.5.P4+dfsg-5.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@pmg:~#

* provide the output of:
** `dig +norec 68.123.224.212.zen.spamhaus.org @c.gns.spamhaus.org.` (maybe also replace 'c' in 'c.gns.spamhaus.org.' with 'a' - 'd')
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +norec 68.123.224.212.zen.spamhaus.org @c.gns.spamhaus.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48627
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;68.123.224.212.zen.spamhaus.org. IN A

;; AUTHORITY SECTION:
zen.spamhaus.org. 10 IN SOA need.to.know.only. hostmaster.spamhaus.org. 2003181828 3600 600 432000 10

;; Query time: 183 msec
;; SERVER: 89.45.233.104#53(89.45.233.104)
;; WHEN: Wed Mar 18 21:28:53 +03 2020
;; MSG SIZE rcvd: 113
** `dig 68.123.224.212.zen.spamhaus.org`

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> 68.123.224.212.zen.spamhaus.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17385
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;68.123.224.212.zen.spamhaus.org. IN A

;; ANSWER SECTION:
68.123.224.212.zen.spamhaus.org. 0 IN A 37.131.68.29

;; Query time: 149 msec
;; SERVER: 192.168.1.5#53(192.168.1.5)
;; WHEN: Wed Mar 18 21:29:50 +03 2020
;; MSG SIZE rcvd: 76



Thank You

 

[Stoiko Ivanov]

looks
like your recursive dns-server has some problem (or some broken cache):

dig +norec  68.123.224.212.zen.spamhaus.org @c.gns.spamhaus.org.` (maybe also replace 'c' in 'c.gns.spamhaus.org.' with 'a' - 'd')
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +norec 68.123.224.212.zen.spamhaus.org @c.gns.spamhaus.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48627
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;68.123.224.212.zen.spamhaus.org. IN    A

shows that 212.224.123.68 is not listed with spamhaus (NXDOMAIN) when asking their authoritative nameserver
while

** `dig 68.123.224.212.zen.spamhaus.org` 

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> 68.123.224.212.zen.spamhaus.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17385
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


;; ANSWER SECTION:
68.123.224.212.zen.spamhaus.org. 0 IN   A       37.131.68.29

shows that it gets a (very odd) response from your internal dns

-> check your internal DNS (check its logs, clear its cache, restart the service)

I hope this helps!

 

[krishnadaskk]

looks
like your recursive dns-server has some problem (or some broken cache):

dig +norec  68.123.224.212.zen.spamhaus.org @c.gns.spamhaus.org.` (maybe also replace 'c' in 'c.gns.spamhaus.org.' with 'a' - 'd')
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +norec 68.123.224.212.zen.spamhaus.org @c.gns.spamhaus.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48627
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;68.123.224.212.zen.spamhaus.org. IN    A

shows that 212.224.123.68 is not listed with spamhaus (NXDOMAIN) when asking their authoritative nameserver
while

** `dig 68.123.224.212.zen.spamhaus.org`

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> 68.123.224.212.zen.spamhaus.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17385
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


;; ANSWER SECTION:
68.123.224.212.zen.spamhaus.org. 0 IN   A       37.131.68.29

shows that it gets a (very odd) response from your internal dns

-> check your internal DNS (check its logs, clear its cache, restart the service)

I hope this helps!

Cleared DNS cache,no unusual find in logs and service restarted but still same..

 

[krishnadaskk]

Dear Team

Kindly request you advise to sort out the issue..Thanks again..


Krishnadas

 

[Stoiko Ivanov]

Try the dig lookups you ran from your PMG from your DNS server.
and post the results

 

[krishnadaskk]

Try the dig lookups you ran from your PMG from your DNS server.
and post the results

dig lookups for zen.spamhaus.com & zen.spamhaus.org? from pmg and our internal dns?Please advise.

 

[krishnadaskk]

root@pmg:~# dig zen.spamhaus.com

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> zen.spamhaus.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28030
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;zen.spamhaus.com. IN A

;; ANSWER SECTION:
zen.spamhaus.com. 0 IN A 37.131.68.29

;; Query time: 34 msec
;; SERVER: 192.168.1.5#53(192.168.1.5)
;; WHEN: Thu Mar 19 15:52:47 +03 2020
;; MSG SIZE rcvd: 61

========================================
root@pmg:~# dig zen.spamhaus.org

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> zen.spamhaus.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62379
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;zen.spamhaus.org. IN A

;; AUTHORITY SECTION:
zen.spamhaus.org. 9 IN SOA need.to.know.only. hostmaster.spamhaus.org. 2003191257 3600 600 432000 10

;; Query time: 607 msec
;; SERVER: 192.168.1.5#53(192.168.1.5)
;; WHEN: Thu Mar 19 15:58:52 +03 2020
;; MSG SIZE rcvd: 109

root@pmg:~#

From internal nslookup

spamhus.org
Server: xxx.abc.com
Address: 192.168.x.x

Non-authoritative answer:
Name: spamhus.org
Address: 37.131.68.29

> zen.spamhus.org
Server: xxx.abc.com
Address: 192.168.x.x

Non-authoritative answer:
Name: zen.spamhus.org
Address: 37.131.68.29

> zen.spamhus.com
Server: xxx.abc.com
Address: 192.168.x.x

Non-authoritative answer:
Name: tj.ymgg.biz
Address: 149.129.82.52
Aliases: zen.spamhus.com

> spamhus.com
Server: xxx.abc.com
Address: 192.168.x.x

 

[krishnadaskk]

Mapped the secondory dns server in pmg,but still blocking.

 

[Stoiko Ivanov]

sorry wasn't clear enough :
run:

* provide the output of:
** `dig +norec 68.123.224.212.zen.spamhaus.org @c.gns.spamhaus.org.` (maybe also replace 'c' in 'c.gns.spamhaus.org.' with 'a' - 'd')
** `dig 68.123.224.212.zen.spamhaus.org`
** `dig 68.123.224.212.zen.spamhaus.org @127.0.0.1`

on the internal DNS server (and on the secondary)!

spamhus.org

you have a typo here - spamhaus not spamhus

 

[krishnadaskk]

sorry wasn't clear enough :
run:

on the internal DNS server (and on the secondary)!


you have a typo here - spamhaus not spamhus

It is type mistake from my end..configuration screen shot in below