docker-mailserver: 550 5.7.1 Service unavailable; client [xxx.xxx.xxx.xxx] blocked using zen.spamhaus.org

What does it mean that emails are “blocked using zen.spamhaus.org” ? Does this mean my domain/IP was blocked somehow?

The sending system is on a block list.

Why are these “sites” in my configurations? Who decides to put these sites as default?

They were added by this project in the past and are not part of the postfix default configuration.

Is there a way to recover all the emails that were lost during the day?

Probably not.

I’m just very concerned with the fact that these 3rd party sites, that I never heard about before, can so easily “break” the receiving of emails on my server…

I have the same opinion. I don’t like the fact, that mails are silently blocked/discard. I want to receive all mails, but marked as spam. Thats why I also disabled all DNS block lists and use Spamassassin only.

fyi: The same goes for Antivirus (clamav). If an email is considered harmful (e.g. containing “dangerous” attachments), it will be discarded.

With v11 we wanted to remove DNS blocking completely and making it opt-in.

I would define a breaking change to be one after which one would (possibly) not be able to use the mail server anymore without taking action. This is not the case here, right? I’m just curious because I have nothing against this going into v10.4.

Would you let me know what do you do to disable all DNS blocks, please? Just want to make sure I do the right thing,

Sure, but without guarantee for completeness. That’s what I found out so far.

These are my “deliver all mails” hacks:

config/postfix-main.cf:

postscreen_dnsbl_sites =

# DNS blacklists removed
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain

config/user-patches.sh:

sed -i '/^\$final_virus_destiny/ s|D_DISCARD|D_PASS|' /etc/amavis/conf.d/20-debian_defaults
sed -i '/^\$final_banned_destiny/ s|D_DISCARD|D_PASS|' /etc/amavis/conf.d/20-debian_defaults

# verify with:
# grep -P final_.+_destiny /etc/amavis/conf.d/*
#    /etc/amavis/conf.d/20-debian_defaults:$final_virus_destiny      = D_PASS;  # (data not lost, see virus quarantine)
#    /etc/amavis/conf.d/20-debian_defaults:$final_banned_destiny     = D_PASS;
#    /etc/amavis/conf.d/20-debian_defaults:$final_spam_destiny       = D_PASS;
#    /etc/amavis/conf.d/20-debian_defaults:$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)

I saw two closed issues still pinned. I thought they could safely be removed.

I will pin this back up.

Very good! Thank you for that.

I also don’t use quotas, so I went ahead and put ENABLE_QUOTAS=0 in the env file.

Really appreciate your help here. Yeah, since the “main.cf” configs may change, it’s probably better to use patches instead. I’ll look into that too.

As this issue is now resolved, I’ll go ahead and close this ticket, just so it doesn’t remain unnecessarily open!

Have a great day!

I just removed the DNS blacklists from the original string some time ago. check_policy_service inet:localhost:65265 must have been added later. However I checked my setup and there is no service listening on port 65265.

It’s seems to be related to postfix quotas:

https://github.com/docker-mailserver/docker-mailserver/blob/69402b0bfade5366bd0bd81cdc710e191110efa0/target/scripts/startup/setup-stack.sh#L290-L291

Lucky me, I don’t use quotas 😄

PS: You might also the check the env variable POSTSCREEN_ACTION and set it to ignore.

Edit: I now remove the DNS blacklist via user-patches.sh which is future proof (hopefully):

sed -i '/^smtpd_recipient_restrictions = / s/, reject_rbl_client zen.spamhaus.org//' /etc/postfix/main.cf