Mail: 521 5.7.1 Service unavailable; client xyz blocked using

Androphin · 2025-07-28 17:46:49

Hi,

for nearly 3 years my mailserver runs mostly without problems, thankfully to people like you from Archlinux and Postfix.
About a week, someone using the mail service from Freenet can't send me any email and I'm not sure why.
A photo of the problem:

What appears in the log:

Jul 22 18:09:18 mail.mydomain.com postfix/postscreen[177876]: CONNECT from [198.55.98.3]:54547 to [my-mailserver-ip]:25
Jul 22 18:09:18 mail.mydomain.com postfix/postscreen[177876]: PREGREET 11 after 0.01 from [198.55.98.3]:54547: EHLO User\r\n
Jul 22 18:09:18 mail.mydomain.com postfix/postscreen[177876]: DISCONNECT [198.55.98.3]:54547
Jul 22 18:09:18 mail.mydomain.com postfix/dnsblog[177877]: addr 198.55.98.3 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 22 18:09:36 mail.mydomain.com postfix/postscreen[177876]: CONNECT from [2001:748:400:3301::3]:39573 to [my-mailserver-ipv6]:25
Jul 22 18:09:42 mail.mydomain.com postfix/postscreen[177876]: PASS NEW [2001:748:400:3301::3]:39573
Jul 22 18:09:47 mail.mydomain.com postfix/smtpd[177882]: warning: hostname mout.freenet.de does not resolve to address 2001:748:400:3301::3: No such file or directory
Jul 22 18:09:47 mail.mydomain.com postfix/smtpd[177882]: connect from unknown[2001:748:400:3301::3]
Jul 22 18:09:47 mail.mydomain.com postfix/smtpd[177882]: 69C3D1AE0111: client=unknown[2001:748:400:3301::3]
Jul 22 18:09:47 mail.mydomain.com postfix/cleanup[177889]: 69C3D1AE0111: message-id=<123456-e2a8-434d-a544-5e1a67568580@freenet.de>
Jul 22 18:09:48 mail.mydomain.com postfix/qmgr[1719]: 69C3D1AE0111: from=<prvs=029854db79=the.sender@freenet.de>, size=1304891, nrcpt=1 (queue active)
Jul 22 18:09:48 mail.mydomain.com postfix/smtpd[177882]: disconnect from unknown[2001:748:400:3301::3] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=2 quit=1 commands=8
Jul 22 18:09:48 mail.mydomain.com postfix/lmtp[177891]: 69C3D1AE0111: to=<me@mydomain.com>, relay=mail.mydomain.com[private/dovecot-lmtp], delay=0.87, delays=0.83/0.01/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 <me@mydomain.com> eee9Dcy3f2jktgIAGnnK+w Saved)
Jul 22 18:09:48 mail.mydomain.com postfix/qmgr[1719]: 69C3D1AE0111: removed
Jul 22 18:11:42 mail.mydomain.com postfix/postscreen[177915]: CONNECT from [2001:748:400:3301::4]:40083 to [my-mailserver-ipv6]:25
Jul 22 18:11:42 mail.mydomain.com postfix/dnsblog[177916]: addr 2001:748:400:3301::4 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 22 18:11:48 mail.mydomain.com postfix/postscreen[177915]: DNSBL rank 2 for [2001:748:400:3301::4]:40083
Jul 22 18:11:48 mail.mydomain.com postfix/postscreen[177915]: DISCONNECT [2001:748:400:3301::4]:40083
Jul 22 18:11:48 mail.mydomain.com postfix/postscreen[177915]: CONNECT from [194.97.212.12]:56193 to [my-mailserver-ip]:25
Jul 22 18:11:54 mail.mydomain.com postfix/postscreen[177915]: PASS NEW [194.97.212.12]:56193
Jul 22 18:11:54 mail.mydomain.com postfix/smtpd[177919]: connect from mout.freenet.de[194.97.212.12]
Jul 22 18:11:55 mail.mydomain.com postfix/smtpd[177919]: 16CF21AE0111: client=mout.freenet.de[194.97.212.12]
Jul 22 18:11:55 mail.mydomain.com postfix/cleanup[177927]: 16CF21AE0111: message-id=<123456-91b1-4cb4-8497-0f6816c0412f@freenet.de>
Jul 22 18:11:55 mail.mydomain.com postfix/qmgr[1719]: 16CF21AE0111: from=<prvs=029854db79=the.sender@freenet.de>, size=713375, nrcpt=1 (queue active)
Jul 22 18:11:55 mail.mydomain.com postfix/smtpd[177919]: disconnect from mout.freenet.de[194.97.212.12] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=2 quit=1 commands=8
Jul 22 18:11:55 mail.mydomain.com postfix/lmtp[177929]: 16CF21AE0111: to=<me@mydomain.com>, relay=mail.mydomain.com[private/dovecot-lmtp], delay=0.81, delays=0.78/0.01/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 <me@mydomain.com> eeYENEu4f2gKtwIAGnnK+w Saved)
Jul 22 18:11:55 mail.mydomain.com postfix/qmgr[1719]: 16CF21AE0111: removed
...
Jul 23 19:13:56 mail.mydomain.com postfix/postscreen[198187]: CONNECT from [2001:748:400:3301::4]:43955 to [my-mailserver-ipv6]:25
Jul 23 19:13:56 mail.mydomain.com postfix/dnsblog[198188]: addr 2001:748:400:3301::4 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 23 19:14:02 mail.mydomain.com postfix/postscreen[198187]: DNSBL rank 2 for [2001:748:400:3301::4]:43955
Jul 23 19:14:02 mail.mydomain.com postfix/postscreen[198187]: DISCONNECT [2001:748:400:3301::4]:43955
Jul 23 19:14:02 mail.mydomain.com postfix/postscreen[198187]: CONNECT from [194.97.212.12]:47087 to [my-mailserver-ip]:25
Jul 23 19:14:08 mail.mydomain.com postfix/postscreen[198187]: PASS OLD [194.97.212.12]:47087
Jul 23 19:14:08 mail.mydomain.com postfix/smtpd[198193]: connect from mout.freenet.de[194.97.212.12]
Jul 23 19:14:09 mail.mydomain.com postfix/smtpd[198193]: 1E4A81AE011A: client=mout.freenet.de[194.97.212.12]
Jul 23 19:14:09 mail.mydomain.com postfix/cleanup[198200]: 1E4A81AE011A: message-id=<abcdef-c950-4978-8ca5-a14bf9875778@freenet.de>
Jul 23 19:14:10 mail.mydomain.com postfix/qmgr[1719]: 1E4A81AE011A: from=<prvs=123456a1e4=the.sender@freenet.de>, size=1300955, nrcpt=1 (queue active)
Jul 23 19:14:10 mail.mydomain.com postfix/smtpd[198193]: disconnect from mout.freenet.de[194.97.212.12] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=2 quit=1 commands=8
Jul 23 19:14:10 mail.mydomain.com postfix/lmtp[198202]: 1E4A81AE011A: to=<me@mydomain.com>, relay=mail.mydomain.com[private/dovecot-lmtp], delay=1, delays=1/0.01/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 <me@mydomain.com> LacyB2IYgWg7BgMAGnnK+w Saved)
Jul 23 19:14:10 mail.mydomain.com postfix/qmgr[1719]: 1E4A81AE011A: removed

I checked the IPs at https://check.spamhaus.org/results/?query=194.97.212.12 and none is blocked or any kind of restricted.
Also searched the web for solutions, but only topics found, where the IP is blacklisted.
Some other dude had issues with Freenet too, but long time ago.

Any idea how to solve this?

Thanks in advance.

cryptearth · 2025-07-28 19:57:33

Androphin wrote:

Any idea how to solve this?

well - that issue is up the freenet admins as they somehow landed on the spamhaus dns blacklist - all your server is do is to check and reject based on the flag
YOU can only disable the DNSBL to just receive any mail - or at least lessen your policy from REJECT to FLAG - this way the mail is still accepted but flagged as potential spam
please advice the ones who want to send you mails to forward that error reply to the freenet postmaster
it's possible this will end up in a chicken-egg loop because the freenet postmaster likely will redirect its customer to contact you because they likely try to frame you and that you have setup your mail server wrong and they just don't want to bother with issues of some random self hosted mail server - but the log is clear: its thier server flagged on the spamhaus list - and its thier job to contact spamhaus about this to get thier servers of that list
you could also try to contact freenet from your side - but it's very likely you will just get a reply like "uh uh - isn't us - check your server" - because they're likely just that stubborn and refuse to accept its thier fault (btw: when you contact freenet you (or the sender) have to provide the full clear log with all info visible so they actually have a chance to identify the mail)

btw btw: THIS is not how to take a screenshot - but ok - I learned to deal with that people stuck in the early 2000s taking a literal camera and taking a picture of thier screen instead of just take a proper screenshot - or in this case: just past text AS TEXT
btw btw btw: if you want to cover data for privacy - do it correctly: the clients ipv6 is still leaked - although this still just resolves to some dynamic assignment and only DTAG can actually resolve this to an actual customer ... but anyway, just wanted to note it

mpan · 2025-07-28 23:34:27

Androphin: I assume the entire log included is relevant. Including the first entry. I noticed it, as 198.55.98.0/24 is constantly running auth attempts against my server and spams logs with nonsense.⁽¹⁾ This isn’t an attempt from freenet.de.

194.97.212.12 and 2001:748:400:3301::3 belong to freenet.de, but they’re not blocked. Messages 69C3D1AE0111 and 16CF21AE0111 were received by Postfix.

The only freenet.de address Postfix rejected is 2001:748:400:3301::4. Which indeed belongs to them. But the response (127.255.255.254) doesn’t indicate freenet.de is on the blocklist. It means Spamhaus blocks YOU.

What can you do? More or less the same as any other victim of blocklists.

If you’re using a 3rd party DNS server, not doing so or subscribing to Spamhaus Data Query Service may help.

NOTE: I didn’t see the picture, so the reply is written without the knowledge of what is there.

Cryptearth: why did you assume it’s Freenet’s fault, that they’re on Spamhaus’ list? At least the tone of your reply suggests that’s the case.
____
⁽¹⁾ It doesn’t even have rDNS set, and doesn’t care about `503 5.5.1` despite waiting for it and then doing a clean QUIT shutdown. Just to retry again a moment later.

Last edited by mpan (2025-07-28 23:43:35)

cryptearth · 2025-07-29 04:43:56

the "screen shot" shows the error reply
the shown ip is the sendingtg freenet server that generated a hit at spamhaus
same as most dnsbl checkers I don't care about the reason spamhaus replied back - the sending server caused it so it's the senders fault
a proper configured service shouldn't cause any flags at all - so any flag is suspicious
aside from that - from time to time even the big ones like google, apple, microsoft and others find some of thier servers on those lists because some hacker was able to trigger a small bomb of 100k spam mails - but these are often to specific servers and just temporary for the time of the attack and a few minutes afterwards to clear the flag again
OPs post on the other hints towards this being a permanent error instead of some 5 minute temp false positive - and as by the error reply it's the sender causing it it's its postmasters job to deal with it

btw: any service that just plain redirects these errors to the sender does something bad - the proper way to deal with transmit error replies is to set them to postmaster and then send a message from postmaster to the sender like "hey, your mail xyz from yesterday didn't make it"
a regular user should not have to deal with postmaster stuff - that's what postmasters are for

seth · 2025-07-29 07:26:32

I checked the IPs at https://check.spamhaus.org/results/?query=194.97.212.12 and none is blocked or any kind of restricted.

Is the situation persisting then?

@cryptearth

I don't care about the reason spamhaus replied back - the sending server caused it so it's the senders fault

philosophical question: If I punch you in the face - is it your fault that you're bleeding

I was btw. gonna complain about the photo, but it occurred to me that it's probably all the OP got from the individual failing to send a mail and that might be YOUR MOTHER

In a related story, someone - not geriatric - once approached be because he had gotten a mail from someone claiming to have hacked him and filmed him "under the shower"
I told him that's just scam and he can just delete that, but he was worried and insisted that I take a look.
"fine"

So I get a 50 MB mail with lots of attachments and was like "OMG this might be legit - I don't want to open something I cannot possibly unsee ever!", but took a deep breath, opened the mail… no body?
So I looked at the attachments - some dozen pictures.
After being done hyperventilating and squinting at the screen out of the corner of an eye, I opened the first image…

THAT IDIOT HAD SEND ME UNCOMPRESSED SCREENSHOTS OF THE MAIL TEXT!!!!!
I would have been angry if I wasn't so happy that - of course - it was scam

cryptearth · 2025-07-29 14:47:41

as I've since looked up the actual meaning of the spamhaus reply to stay in line with my "a proper setup should not cause it": yes, if my face is so whimpy to start bleeding of course it's my faces fault - I have time to bleed when I'm dead - or your punch knocks me out anyway

nvm - as for what .254 from spamhaus means raises even more questions:

127.255.255.254 = Du nutzt einen öffentlichen DNS Resolver deines ISPs zur Abfrage. (Diese sind wegen der Flut der Abfragen natürlich gesperrt.)

(you use your ISPs dns server)
uhm - what? how would my mail server use my ISPs dns for a request to spamhaus?
I don't even get what this means and raises questions about OPs setup - which hints its hosted at a customers connection?

mpan · 2025-07-29 15:39:00

Cryptearth,, this reply — let’s call it “-2 reply” for simplicity⁽¹⁾ — may be caused by using 3rd party DNS resolvers. If this is the cause, one of the options is running own, local resolver. If that doesn’t help, another option is the subscription plan I linked.

The reason I asked, why you think it’s Freenet’s fault, can be seen in your reply. The interpretation, where blocklists are a superior solution catching “the bad guys” and everything working flawless. Unfortunately this is not the case. Completely innocent people are notoriously blocked, not rarely for some single unidentified “incident” that happened years(!) ago. They’re are left helpless, trapped in responsibility ping-pong or required to accept treatment not everybody is willing to undergo.

OP appears to be honestly trying to help the victim, for which I applaud them. But this is a rare choice. Usually the entity relying on a blocklist is somehow assuming that it’s somebody else’s responsibility to deal with the people they hired. Often they don’t even know, what the list contains and don’t care about verifying anything.

So, I implore you, don’t thrust the problem onto victims.
____
⁽¹⁾ After 2’s complement.

cryptearth · 2025-07-29 17:06:19

@mpan
my point is this: I do host my own domain and mail server for about a decade now - and yes, I did have to learn a lot to come where I am today
but given my knowledge I have to repeat: "a proper setup should not cause this issue"
of cause I expected OPs setup to be properly setup as in
- runs on a proper server in a known datacenter
- the domain is configured properly
- the mta is configured properly
- (all that other stuff one has to get right to host your own mail server)
and hence just not bothered to look up the actual reason, because:
- it should not happen
- even the big ones are victims of false positives from time to time
when using dnsrbl it also depends on how you use it: a good tool I also recommend is mxtoolbox.com - they offer quite a list of dnsrbl and give you a weighted result
so when using dnsrbl one should:
- use multiple services and check against all - if a flag comes up on only one service but comes back clean on all other it's likely a fluke - but if all return a flag it's likely bad stuff
- train your checker on the various reply codes - the spamhaus help page even explains this about thier codes and how one should configure its checker depending on what to filter on
also dnsrbl should not be used on its own but in combination with spf, dkim, dmarc and all the other fancy stuff
also also simply rejecting (or even worse: silently dropping) incoming mails should be done careful and only on stuff you can automatically check to be 99% likely spam - unless you can clearly state it's fake (spf already sorts out most stuff) you should accept mails anyway but flag them or redirect into a filter or to postmaster for manual checking and resolving

I run Apache James as my mail server for a couple years now and although it comes with spf and dnsrbl I don't use it - because:
- I use my domain only for myself - so I control all mailboxes anyway
- I spent at least an hour daily checking logs and blocking senders
- I have wide ranges of blocks in place like all of asia and afrika and south america - I don't have any legit reason to communicate with these areas anyway so they fail on my firewall just get dropped right away - and if for some reason you really think you need to contact me my gmail is given as hostmaster for my domain

I don't have much spam inbound anyway - but due to some non disclosed issues I found myself on those lists a few times - and think still I'm on microsofts list for hotmail/outlook - have to check that with some hotmail account - but even if so: I don't care as I don't have regular contact with anyone using this service anyway

tldr: am I able to properly help op? maybe - but currently there a few big questionmarks OP first has to reply to - like a few more details about thier actual setup - until then this topic already drifted quite far off-topic and may deserve a split-off anyway on mods discretion

Androphin · 2025-07-29 18:38:55

First: thank you all for your feedback and nice replies.

@mpan: I'm running my own DNS resolver (unbound) and if I dig a certain adresses, they are resolved over it.
At first I had another suspicion that received block lists from spamhaus are somewhat cached and purged after a certain time, and therefore postfix might be reject the IP, while it is already unblocked by spamhaus. Not sure though if this is how it works. As I understood, IPs are directly checked against spamhaus, but I could be wrong.
In the end I see it like you. This one rare case does not justify the amount of modification to the overall mailing system.
It's just I'm going into a mode where I suspect something is broken and then investigate if there is more to this.

@seth: You got it. The picture is from the sender. Thanks for the funny story.

FYI, just some configs:
/etc/hosts

127.0.0.1 localhost
127.0.1.1 mail.mydomain.com    mail

::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
external-ipv6 mycube

/etc/resolv.conf

### Hetzner Online GmbH installimage
# commented out are nameserver entry defaults from hetzner, before running my own
#nameserver 185.12.64.1
#nameserver 2a01:4ff:ff00::add:2
#nameserver 185.12.64.2
#nameserver 2a01:4ff:ff00::add:1
nameserver 127.0.0.1
nameserver ::1
options trust-ad

some postfix conf

inet_interfaces = 127.0.0.1, ::1, my-mailserver-ip, my-mailserver-ipv6
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = mydomain.com
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_client_restrictions = permit_mynetworks
smtp_host_lookup = dns
smtp_dns_reply_filter =
smtp_dns_resolver_options =
smtp_dns_support_level = dnssec
# running RSPAMD on this port
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
postscreen_dnsbl_action = drop
postscreen_dnsbl_allowlist_threshold = ${postscreen_dnsbl_whitelist_threshold?{$postscreen_dnsbl_whitelist_threshold}:{0}}
postscreen_dnsbl_max_ttl = ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
postscreen_dnsbl_min_ttl = 60s
postscreen_dnsbl_reply_map =
postscreen_dnsbl_sites = zen.spamhaus.org*2
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_timeout = 10s
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = lmdb:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d

Androphin · 2025-07-30 18:11:40

Additionally, in the same timeframe as the previous mentioned case with the freenet IP, other cases happen too, discovered by a new case with IP 195.227.214.230. Same blocking behavior. Something seems wrong.

It seems like every connect is blocked:

Jul 24 11:16:55 mail.mydomain.com postfix/postscreen[212703]: CONNECT from [95.215.0.144]:60022 to [my-mailserver-ipv4]:25
Jul 24 11:16:55 mail.mydomain.com postfix/dnsblog[212704]: addr 95.215.0.144 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 24 11:17:01 mail.mydomain.com postfix/postscreen[212703]: DNSBL rank 2 for [95.215.0.144]:60022
Jul 24 11:17:01 mail.mydomain.com postfix/postscreen[212703]: DISCONNECT [95.215.0.144]:60022
Jul 24 11:26:26 mail.mydomain.com postfix/postscreen[212844]: CONNECT from [195.227.214.230]:40321 to [my-mailserver-ipv4]:25
Jul 24 11:26:26 mail.mydomain.com postfix/dnsblog[212845]: addr 195.227.214.230 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 24 11:26:32 mail.mydomain.com postfix/postscreen[212844]: DNSBL rank 2 for [195.227.214.230]:40321
Jul 24 11:26:32 mail.mydomain.com postfix/postscreen[212844]: DISCONNECT [195.227.214.230]:40321
Jul 24 11:34:00 mail.mydomain.com postfix/postscreen[213051]: CONNECT from [109.224.244.31]:34537 to [my-mailserver-ipv4]:25
Jul 24 11:34:00 mail.mydomain.com postfix/dnsblog[213052]: addr 109.224.244.31 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 24 11:34:06 mail.mydomain.com postfix/postscreen[213051]: DNSBL rank 2 for [109.224.244.31]:34537
Jul 24 11:34:06 mail.mydomain.com postfix/postscreen[213051]: DISCONNECT [109.224.244.31]:34537
Jul 24 11:34:07 mail.mydomain.com postfix/postscreen[213051]: CONNECT from [51.77.79.158]:42848 to [my-mailserver-ipv4]:25
Jul 24 11:34:07 mail.mydomain.com postfix/dnsblog[213052]: addr 51.77.79.158 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 24 11:34:13 mail.mydomain.com postfix/postscreen[213051]: DNSBL rank 2 for [51.77.79.158]:42848
Jul 24 11:34:13 mail.mydomain.com postfix/postscreen[213051]: DISCONNECT [51.77.79.158]:42848
Jul 24 11:34:13 mail.mydomain.com postfix/postscreen[213051]: CONNECT from [109.224.244.102]:18683 to [my-mailserver-ipv4]:25
Jul 24 11:34:13 mail.mydomain.com postfix/dnsblog[213052]: addr 109.224.244.102 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 24 11:34:19 mail.mydomain.com postfix/postscreen[213051]: DNSBL rank 2 for [109.224.244.102]:18683
Jul 24 11:34:19 mail.mydomain.com postfix/postscreen[213051]: DISCONNECT [109.224.244.102]:18683
Jul 24 11:34:34 mail.mydomain.com postfix/anvil[212967]: statistics: max connection rate 1/60s for (smtpd:77.238.178.200) at Jul 24 09:31:12
Jul 24 11:34:34 mail.mydomain.com postfix/anvil[212967]: statistics: max connection count 1 for (smtpd:77.238.178.200) at Jul 24 09:31:12
Jul 24 11:34:34 mail.mydomain.com postfix/anvil[212967]: statistics: max cache size 1 at Jul 24 09:31:12
Jul 24 11:40:35 mail.mydomain.com postfix/postscreen[213169]: CONNECT from [195.227.214.230]:56875 to [my-mailserver-ipv4]:25
Jul 24 11:40:35 mail.mydomain.com postfix/dnsblog[213170]: addr 195.227.214.230 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 24 11:40:41 mail.mydomain.com postfix/postscreen[213169]: DNSBL rank 2 for [195.227.214.230]:56875
Jul 24 11:40:41 mail.mydomain.com postfix/postscreen[213169]: DISCONNECT [195.227.214.230]:56875
Jul 24 11:40:59 mail.mydomain.com postfix/postscreen[213169]: CONNECT from [109.224.244.102]:38363 to [my-mailserver-ipv4]:25
Jul 24 11:40:59 mail.mydomain.com postfix/dnsblog[213170]: addr 109.224.244.102 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 24 11:41:05 mail.mydomain.com postfix/postscreen[213169]: DNSBL rank 2 for [109.224.244.102]:38363
Jul 24 11:41:05 mail.mydomain.com postfix/postscreen[213169]: DISCONNECT [109.224.244.102]:38363
Jul 24 11:45:58 mail.mydomain.com postfix/postscreen[213269]: CONNECT from [167.160.161.19]:63729 to [my-mailserver-ipv4]:25
Jul 24 11:45:59 mail.mydomain.com postfix/dnsblog[213270]: addr 167.160.161.19 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 24 11:45:59 mail.mydomain.com postfix/postscreen[213269]: PREGREET 11 after 0.05 from [167.160.161.19]:63729: EHLO User\r\n
Jul 24 11:45:59 mail.mydomain.com postfix/postscreen[213269]: DISCONNECT [167.160.161.19]:63729
Jul 24 11:51:04 mail.mydomain.com postfix/postscreen[213359]: CONNECT from [109.224.244.102]:53737 to [my-mailserver-ipv4]:25
Jul 24 11:51:04 mail.mydomain.com postfix/dnsblog[213360]: addr 109.224.244.102 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 24 11:51:10 mail.mydomain.com postfix/postscreen[213359]: DNSBL rank 2 for [109.224.244.102]:53737
Jul 24 11:51:10 mail.mydomain.com postfix/postscreen[213359]: DISCONNECT [109.224.244.102]:53737

Ongoing

Jul 28 08:04:18 mail.mydomain.com postfix/postscreen[87664]: CONNECT from [195.227.214.230]:27237 to [my-mailserver-ipv4]:25
Jul 28 08:04:19 mail.mydomain.com postfix/dnsblog[87665]: addr 195.227.214.230 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 28 08:04:24 mail.mydomain.com postfix/postscreen[87664]: DNSBL rank 2 for [195.227.214.230]:27237
Jul 28 08:04:24 mail.mydomain.com postfix/postscreen[87664]: DISCONNECT [195.227.214.230]:27237
Jul 28 08:04:44 mail.mydomain.com postfix/postscreen[87664]: CONNECT from [3.143.33.63]:51456 to [my-mailserver-ipv4]:25
Jul 28 08:04:44 mail.mydomain.com postfix/postscreen[87664]: PREGREET 169 after 0 from [3.143.33.63]:51456: GET / HTTP/1.1\r\nHost: my-mailserver-ipv4:25\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_
Jul 28 08:04:44 mail.mydomain.com postfix/postscreen[87664]: DISCONNECT [3.143.33.63]:51456
Jul 28 08:04:44 mail.mydomain.com postfix/postscreen[87664]: CONNECT from [3.143.33.63]:51464 to [my-mailserver-ipv4]:25
Jul 28 08:04:44 mail.mydomain.com postfix/postscreen[87664]: PREGREET 169 after 0 from [3.143.33.63]:51464: GET / HTTP/1.1\r\nHost: my-mailserver-ipv4:25\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_
Jul 28 08:04:44 mail.mydomain.com postfix/postscreen[87664]: DISCONNECT [3.143.33.63]:51464
Jul 28 08:04:44 mail.mydomain.com postfix/dnsblog[87665]: addr 3.143.33.63 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 28 08:04:44 mail.mydomain.com postfix/dnsblog[87676]: addr 3.143.33.63 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 28 08:04:44 mail.mydomain.com postfix/postscreen[87664]: CONNECT from [3.143.33.63]:51474 to [my-mailserver-ipv4]:25
Jul 28 08:04:44 mail.mydomain.com postfix/postscreen[87664]: PREGREET 1 after 0 from [3.143.33.63]:51474: \n
Jul 28 08:04:44 mail.mydomain.com postfix/postscreen[87664]: DISCONNECT [3.143.33.63]:51474
Jul 28 08:04:44 mail.mydomain.com postfix/dnsblog[87665]: addr 3.143.33.63 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 28 08:07:18 mail.mydomain.com postfix/postscreen[87724]: CONNECT from [198.55.98.10]:53924 to [my-mailserver-ipv4]:25
Jul 28 08:07:18 mail.mydomain.com postfix/dnsblog[87725]: addr 198.55.98.10 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 28 08:07:18 mail.mydomain.com postfix/postscreen[87724]: PREGREET 11 after 0.02 from [198.55.98.10]:53924: EHLO User\r\n
Jul 28 08:07:18 mail.mydomain.com postfix/postscreen[87724]: DISCONNECT [198.55.98.10]:53924
Jul 28 08:09:04 mail.mydomain.com postfix/postscreen[87754]: CONNECT from [3.143.33.63]:47936 to [my-mailserver-ipv4]:25
Jul 28 08:09:04 mail.mydomain.com postfix/postscreen[87754]: PREGREET 128 after 0 from [3.143.33.63]:47936: \026\003\001\000{\001\000\000w\003\003\255\206\020mp\353Tc\341\245u\275\2752D\327%i7\337A\264\003\27
Jul 28 08:09:04 mail.mydomain.com postfix/postscreen[87754]: DISCONNECT [3.143.33.63]:47936
Jul 28 08:09:04 mail.mydomain.com postfix/dnsblog[87755]: addr 3.143.33.63 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 28 08:09:39 mail.mydomain.com postfix/postscreen[87754]: CONNECT from [3.143.33.63]:42932 to [my-mailserver-ipv4]:25
Jul 28 08:09:39 mail.mydomain.com postfix/dnsblog[87755]: addr 3.143.33.63 listed by domain zen.spamhaus.org as 127.255.255.254
Jul 28 08:09:45 mail.mydomain.com postfix/postscreen[87754]: DNSBL rank 2 for [3.143.33.63]:42932
Jul 28 08:09:45 mail.mydomain.com postfix/postscreen[87754]: DISCONNECT [3.143.33.63]:42932

Whoracle · 2025-07-30 18:40:28

cryptearth wrote:

and think still I'm on microsofts list for hotmail/outlook

NetCup? Been on hotmails blacklist for 13+ years now...

Androphin wrote:

Something seems wrong.

Have you tried checking your domain via the aforementioned mxtoolbox.com? Might give you at least a pointer in the right direction.

cryptearth · 2025-07-30 19:26:30

Whoracle wrote:

cryptearth wrote:
and think still I'm on microsofts list for hotmail/outlook
NetCup? Been on hotmails blacklist for 13+ years now...

Nah, I've written a small tool to query for existing user accounts at target mail servers - basically a
EHLO
MAIL TO
RSET
to check if a given target mail-address exists or if I get an error like "no such user"
microsoft doesn't seem to be all that happy with that and keeps re-adding my servers onto thier blacklists for office/outlook/hotmail because of that
background: as a customer service agent I have to deal with bounce mails every day because people are just too dumb to correctly write thier own e-mail-address or some random scout just makes up some non-existent one just to have an e-mail-address in the form for the sake of having one at all
sometimes you can guess potential errors from the customers data like misspelled names or date of births (actually crazy how many people still use part of or the entire DOB as part of thier mail addresses) or mistyped domain names - and as we often also don't have correct phone numbers for me it's just easier to use my tool to guess a few possible corrections instead of having to write a letter (which takes quite some time, tho)
so, it's not like I abuse this tool for phishing - I do have a legit interest to recover the correct e-mail when some customer just mistyped - and this is even covered by law (we had our company lawyer check on this) - but the way HOW my tool works does look like a spearphishin attack - and for this I get listed correctly
in fact - as I don't deal with users from outlook/hotmail on a regular basis I'm actually fine with if M$ keeps re-adding me - dealing with it isn't that hard - but unless I have someone I have to contact this way it's not worth the require effort

I also get flagged by swiss UCEPROTECT because of some of my OVH neighbours are up to no good - but I'm not willing to pay ONE service some preimum if 139 others return green light for my servers and domain

@OP
as I dug further I recommend you may contact spamhaus support - as I don't get the actual reason for this .254 response code - and thier documentation on it does differ with language
while the german one talks about ISP (which doesn't make sense at all in any way) the english version goes more towards public/open dns servers like google - and also at the very end hints towards some dns misconfiguration
so - please check that your server has proper DNS records - you want to have matching A/AAAA and PTR records
example for my server:

cryptearth.de MX
lim.cryptearth.de

lim.cryptearth.de A
51.89.6.119
lim.cryptearth.de AAAA
2001:41d0:700:2b77::137

119.6.89.51.in-addr.arpa PTR
lim.cryptearth.de
7.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.7.7.b.2.0.0.7.0.0.d.1.4.1.0.0.2.ip6.arpa PTR
lim.cryptearth.de

the A / AAAA records are set in your domain control panel at your registrar - that's the site where you ordered your domain
the PTR records should be able to be set in the hetzner server admin panel

be aware: from OVH I know there could be a non-disclosed check involved: you might be able to only set a PTR if a proper A / AAAA is in place first - learned that the hard way as the OVH panel only gives a generic "something went wrong" error message
I recommend run the "Domain Health" check at mxtoolbox for your domain - it'll show you many things that can result in such issues

again - I have to re-repeat myself: you have to have a proper setup in place when hosting your own mail server - I mentioned a few points earlier - a proper dns setup is part of it

also - checking the IPs that bother you - I would block some of them anyway

95.215.0.144 scan.f6 Petersburg Internet Network ltd. (AS34665)
195.227.214.230 secure-mail01-03.de.cancom-mase.com CANCOM Managed Services GmbH (AS8469)
109.224.244.31 mail-24431.protonmail.ch Proton AG (AS62371)
51.77.79.158 mail-0201.mail-europe.com OVH SAS (AS16276)
109.224.244.102 mail-244102.protonmail.ch Proton AG (AS62371)
77.238.178.200 sonic303-19.consmr.mail.ir2.yahoo.com Yahoo-UK Limited (AS34010)
167.160.161.19 NO PTR 167.160.161.0/24 Railnet LLC (AS214943) - according to other IPs and domains in this range some hoster with a lot of spam
3.143.33.63 scan.cypex.ai Amazon.com, Inc. (AS16509)
198.55.98.10 198.55.98.10.static.quadranet.com KPROHOST LLC (AS214940) - same as Railnet LLC

the protonmail and yahoo may look legit - but could also be hacked accounts abused for spam - espacially the yahoo one
the others hosted at legit hosters are either spam servers outright or hacked zombies with lazy admins - maybe worth contacting the hostmaster abuse

Last edited by cryptearth (2025-07-30 19:29:00)

Androphin · 2025-08-03 18:30:19

Well thank you.

I'm currently going over everything. Postfix, Dovecot, Rspamd, Fail2ban. I shutdow postscreen for now and therefore don't use spamhaus anymore.
The IPv6 had indeed no PTR.

@cryptearth: Do you block IPs by ASN?

cryptearth · 2025-08-03 19:00:05

no because ASNs can have ip blocks in multiple countries so I rather look up blocks by assigned country
example: my hoster OVH has blocks all over the world all assigned to the same ASN - so have others like Hetzner
on the other hand there're about 100s of small local ISPs all over countries and continents I don't have and don't want to have any connections with

sure this isn't fool proof as I rely on registries publishing correct data and those responsible for actual assign and use thier IPs the way its published - and these informations can be outdated or wrong - but the ratio of spam blocked vs the few false positives is worth it

Arch Linux

#1 2025-07-28 17:46:49

Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#2 2025-07-28 19:57:33

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#3 2025-07-28 23:34:27

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#4 2025-07-29 04:43:56

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#5 2025-07-29 07:26:32

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#6 2025-07-29 14:47:41

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#7 2025-07-29 15:39:00

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#8 2025-07-29 17:06:19

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#9 2025-07-29 18:38:55

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#10 2025-07-30 18:11:40

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#11 2025-07-30 18:40:28

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#12 2025-07-30 19:26:30

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#13 2025-08-03 18:30:19

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

#14 2025-08-03 19:00:05

Re: Mail: 521 5.7.1 Service unavailable; client xyz blocked using

Board footer