Rspamd DBL checks disabled because of the use of an open DNS?

pagaille · January 3, 2026, 8:52am

Hi there, happy new year !

I’d like to bump this up, since I believe that this issue is important. I’m curious to know how many of us face this silent DBL_BLOCKED_OPENRESOLVER issue. The interim solution (querying spamhaus through their DQS service) proposed by @mrmarkuz works but doesn’t survive reboots. It should be implemented in a the UI (for the DQS key). Additionally the legacy RBL (BLOCKLIST_DE for instance) should be disabled.

I’m ready to help of course.

davidep · January 7, 2026, 2:59pm

Hi Matthieu, happy new year!

So far you’re the only one who has reported this issue. As mentioned earlier, at least another Mail installation on Hetzner does not show this behavior, which suggests it may be environment-dependent and not always visible.

That said, I agree the workaround should be persistent. For this reason, we’re including the Spamhaus Rspamd plugin in Mail, allowing manual configuration (DQS) as an alternative to the public DNS-based protocol and ensuring it survives service restarts. Rspamd plugin for Spamhaus DQS · Issue #7801 · NethServer/dev · GitHub

mrmarkuz · March 26, 2026, 2:29pm

Hi Matthieu,

@pagaille would you like to test the Rspamd DQS plugin? It’s templated now and should survive updates.

github.com/NethServer/dev

Rspamd plugin for Spamhaus DQS

opened 02:43PM - 07 Jan 26 UTC

DavidePrincipi

testing

Accessing public Spamhaus DNS Blocklists (DNSBLs) is subject to a **fair-use pol…icy** [^1] and may not work from certain networks (i.e. Hetzner [^2]). Spamhaus’ Data Query Service (DQS) is the alternative protocol, implemented with an Rspamd 3.x plugin [^3], that provides similar functionality with better performance, and requires a registered token. [^1]: https://www.spamhaus.org/organization/dnsblusage/ [^2]: https://www.spamhaus.org/resource-hub/email-security/query-the-legacy-dnsbls-via-hetzner [^3]: https://github.com/spamhaus/rspamd-dqs?tab=readme-ov-file#installation-instructions **Proposed solution** - Integrate Spamhaus DQS plugin for Rspamd, as alternative to DNSBL protocol. - Document how to configure and permanently enable the DQS plugin. - Evaluate future integration in cluster-admin UI. **Alternative solutions** Migrate mail servers to another network provider. **Additional context** If a mail server IP address does not comply with Spamhaus' fair-use policy, the following symbols can be added by Rspamd — https://github.com/rspamd/rspamd/issues/3074: - DBL_BLOCKED_OPENRESOLVER - RBL_SPAMHAUS_BLOCKED_OPENRESOLVER - RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER - DBL_BLOCKED - RBL_SPAMHAUS_BLOCKED - RECEIVED_SPAMHAUS_BLOCKED **See also** - https://community.nethserver.org/t/rspamd-dbl-checks-disabled-because-of-the-use-of-an-open-dns/26723 - Discussion https://mattermost.nethesis.it/nethesis/pl/kbt9im5p4jfo8pi8qf1rxqtcba ---- Thanks to [Matthieu Gaillet](https://community.nethserver.org/u/pagaille)

You can update to testing in Software Center…

or via CLI:

api-cli run update-module --data '{"module_url":"ghcr.io/nethserver/mail:1.7.9-dev.1","instances":["mail1"]}'

Thanks in advance!

pagaille · March 27, 2026, 7:56am

Great !!

Looks like it is working perfectly with the contents test, all three mails were flagged as spam.

It should be the default configuration IMHO since Spamhaus will probably generalise this behaviour in the future. With an automatic fallback to the current config if no DQS key is configured.