Are you using or for fighting spam? Pay attention!

Spamhaus is making some changes in their policy enforcement, from their website:

Are you currently using the Spamhaus Project’s DNS Blocklists (DNSBLs)? Do you access them via the Public Mirrors, for example, query “” or “”? Do you use Cloudflare’s DNS? If you’ve answered “yes” to all three of those questions, you need to make some changes to your email infrastructure. These changes are quick and easy to make, but if you fail to make them, you could find that at some point in 2022, all or none of your email is blocked!

So if you use Cloudflare DNS and have configured Zimbra to use the public Spamhaus mirrors, you need to make some changes. Please note that even if you do not use Cloudflare there are other cases where you also cannot use “” or “” anymore.

To find out if you are affected check for an increase in rejected email, in the log file /var/log/zimbra.log look for 554 5.7.1 Service unavailable example false positive:

Aug 20 15:31:19 mail2 postfix/smtpd[999335]: NOQUEUE: reject: RCPT from[]: 554 5.7.1 Service unavailable; Client host [] blocked using; from=<> to=<info@*********.***> proto=ESMTP helo=

To find out how you configured Postfix on Zimbra run as user Zimbra

zmprov gcf zimbraMtaRestriction

Setting up RBL’s

Before making changes to your production environment, test on a test environment first. This article is a work in progress, use it at your own discretion. Create a free account for the DQS service at Spamhaus via

The log-in to the Spamhaus portal via and get your DQS Query Key. Then configure Zimbra by running the following commands as user zimbra (don’t forget to replace your-query-key-here with your actual key):

zmprov mcf zimbraMtaRestriction "reject_invalid_helo_hostname"
zmprov mcf +zimbraMtaRestriction "reject_non_fqdn_sender"
zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override'
zmprov mcf +zimbraMtaRestriction "reject_rbl_client[2..11]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_sender[2..99]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_helo[2..99]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_reverse_client[2..99]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_sender[2..24]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_helo[2..24]"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_reverse_client[2..24]"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client"

In some cases you will want to receive email from certain domains or IP’s regardless of them being in the RBL. This can be achieved by setting up an RBL overrride. Creating a file /opt/zimbra/conf/postfix_rbl_override with the following content: OK OK OK

Then run the following command as user zimbra:

postmap /opt/zimbra/conf/postfix_rbl_override

Next create a file /opt/zimbra/conf/dnsbl-reply-map with the following content (don’t forget to replace your-query-key-here with your actual key):[2..11] 554 $rbl_class $rbl_what blocked using ZEN - see$client_address for details[2..99] 554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details[2..24] 554 $rbl_class $rbl_what blocked using ZRD - domain too young         554 $rbl_class $rbl_what blocked using ZEN - see$client_address for details         554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details         554 $rbl_class $rbl_what blocked using ZRD - domain too young

Since reject_rhsbl_helo is not supported in Zimbra yet you have to add it to /opt/zimbra/conf/zmconfigd/ example result:

%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%exact VAR:zimbraMtaRestriction reject_invalid_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_non_fqdn_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%exact VAR:zimbraMtaRestriction reject_unknown_client_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_reverse_client_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_helo_hostname%%
%%exact VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%exact VAR:zimbraMtaRestriction reject_unverified_recipient%%
%%contains VAR:zimbraMtaRestriction check_recipient_access lmdb:/opt/zimbra/conf/postfix_recipient_access%%
%%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override%%
%%contains VAR:zimbraMtaRestriction check_reverse_client_hostname_access pcre:/opt/zimbra/conf/fqrdns.pcre%%
%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
%%explode reject_rhsbl_client VAR:zimbraMtaRestrictionRHSBLCs%%
%%explode reject_rhsbl_reverse_client VAR:zimbraMtaRestrictionRHSBLRCs%%
%%explode reject_rhsbl_sender VAR:zimbraMtaRestrictionRHSBLSs%%
%%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%%
%%contains VAR:zimbraMtaRestriction check_recipient_access ldap:/opt/zimbra/conf/
%%exact VAR:zimbraMtaRestriction reject%%

Next run as user zimbra:

postmap /opt/zimbra/conf/dnsbl-reply-map

Next we have to add the rbl_reply_maps to Postfix Add the following line (as root) to /opt/zimbra/common/conf/

rbl_reply_maps = lmdb:/opt/zimbra/conf/dnsbl-reply-map

Then run

zmmtactl restart

Each time you make changes to rbl_reply_maps or postfix_rbl_override, you need to run the postmap command then zmmtactl restart. You also need to re-apply changes to, and dnsbl-reply-map after a Zimbra upgrade or patch installation.

Test configuration

In your browser go to fill out your email
address and run the SMTP test:


, ,

2 Responses to Are you using or for fighting spam? Pay attention!

  1. Honza September 12, 2022 at 11:40 PM #

    Thank you for the great tip.
    How do I set postcreen?

    zmprov mcf +zimbraMtaPostscreenDnsblSites: “[2..255]”

    postscreen_dnsbl_reply_map = texthash:/opt/zimbra/conf/dnsbl_reply – /opt/zimbra/common/conf/ … this settings will not accept me.


    • Avatar photo
      Barry de Graaff September 23, 2022 at 11:25 PM #

      Hello Honza,

      Instead of using texthash, use lmdb. Create dnsbl-reply-map as documented in above blog post and Don’t forget to run postmap command.

      Next we have to add the postscreen_dnsbl_reply_map to Postfix Add the following line (as root) to /opt/zimbra/common/conf/
      postscreen_dnsbl_reply_map = lmdb:/opt/zimbra/conf/dnsbl-reply-map
      zmmtactl restart

      And that should apply the changes correctly, can you confirm if this works for you. The complete steps for Postscreen will then be as below.

      Thanks! Barry

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures