[GH-ISSUE #921] DNSBL report incorrect #797

New issue

Closed

opened 2026-02-27 11:13:35 +03:00 by kerem · 20 comments

kerem commented 2026-02-27 11:13:35 +03:00

Owner

Copy link

Originally created by @dugite-code on GitHub (Sep 19, 2016).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/921

Originally assigned to: @tonioo on GitHub.

Just upgraded to 1.6.0 from 1.5.1

added new crontab entries then manually ran /srv/modoboa/env/bin/python /srv/modoboa/instance/manage.py modo check_mx as vmail with no errors. All DNSBL show as listed, my manual checks (where possible) show no listings. using dnsbl.info only dnsbl-3.uceprotect.net shows listed due to my server being a digital ocean droplet (minor issue).

I am unsure how to debug this issue. I have set debugging to True in settings.py is there a log file I can check?

Originally created by @dugite-code on GitHub (Sep 19, 2016). Original GitHub issue: https://github.com/modoboa/modoboa/issues/921 Originally assigned to: @tonioo on GitHub. Just upgraded to 1.6.0 from 1.5.1 added new crontab entries then manually ran `/srv/modoboa/env/bin/python /srv/modoboa/instance/manage.py modo check_mx` as vmail with no errors. All DNSBL show as listed, my manual checks (where possible) show no listings. using dnsbl.info only dnsbl-3.uceprotect.net shows listed due to my server being a digital ocean droplet (minor issue). I am unsure how to debug this issue. I have set debugging to True in settings.py is there a log file I can check?

kerem 2026-02-27 11:13:35 +03:00

• closed this issue
• added the
  enhancement
  label

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Sep 19, 2016):

Could you paste some screenshots please ?

<!-- gh-comment-id:247925106 --> @tonioo commented on GitHub (Sep 19, 2016): Could you paste some screenshots please ?

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@dugite-code commented on GitHub (Sep 22, 2016):

Is this what you're after? It's every DNSBL provider from the constants.py file.

PS: I just did a fresh install on a new droplet (broke stuff with my tinkering) issue is pressent with a brand new install.

<!-- gh-comment-id:248794146 --> @dugite-code commented on GitHub (Sep 22, 2016): Is this what you're after? It's every DNSBL provider from the `constants.py` file. PS: I just did a fresh install on a new droplet (broke stuff with my tinkering) issue is pressent with a brand new install. 

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Sep 30, 2016):

Have you checked that the MX record found by Modoboa is the right one ?

<!-- gh-comment-id:250744342 --> @tonioo commented on GitHub (Sep 30, 2016): Have you checked that the MX record found by Modoboa is the right one ?

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@dugite-code commented on GitHub (Oct 3, 2016):

MX record is correct with correct IP address. I also have reverse DNS lookup working.

• Only thing I've added to my blank Ubuntu install is UFW but the default behavior for outgoing traffic is allow

<!-- gh-comment-id:251010039 --> @dugite-code commented on GitHub (Oct 3, 2016): MX record is correct with correct IP address. I also have reverse DNS lookup working. - Only thing I've added to my blank Ubuntu install is UFW but the default behavior for outgoing traffic is allow

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@hennedo commented on GitHub (Oct 3, 2016):

I can confirm this behaviour on a fresh installation of Ubuntu 16.04 without ufw.

<!-- gh-comment-id:251251713 --> @hennedo commented on GitHub (Oct 3, 2016): I can confirm this behaviour on a fresh installation of Ubuntu 16.04 without ufw.

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Oct 4, 2016):

Guys, would be easier to debug if one of you could give me a domain name that fails. Do not hesitate to send me a private message.

<!-- gh-comment-id:251333693 --> @tonioo commented on GitHub (Oct 4, 2016): Guys, would be easier to debug if one of you could give me a domain name that fails. Do not hesitate to send me a private message.

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@hennedo commented on GitHub (Oct 4, 2016):

Try smells.sexy :)

<!-- gh-comment-id:251348760 --> @hennedo commented on GitHub (Oct 4, 2016): Try smells.sexy :)

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Oct 4, 2016):

Thank you. I'm sorry but I fail to reproduce your issue... I see your domain as not blacklisted. Where is your server ? Is there any DNS limitation or something similar which could cause this ?

<!-- gh-comment-id:251454145 --> @tonioo commented on GitHub (Oct 4, 2016): Thank you. I'm sorry but I fail to reproduce your issue... I see your domain as not blacklisted. Where is your server ? Is there any DNS limitation or something similar which could cause this ?

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@hennedo commented on GitHub (Oct 4, 2016):

Not that i'm aware of it..

When I manually try to query the ip, it shows the following

root@mail:/ dig 66.30.172.31.bl.spamcop.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> 66.30.172.31.bl.spamcop.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58068
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;66.30.172.31.bl.spamcop.net.   IN  A

;; AUTHORITY SECTION:
bl.spamcop.net.     0   IN  SOA bl.spamcop.net. hostmaster.admin.spamcop.net. 1475602051 3600 1800 3600 0

;; Query time: 32 msec
;; SERVER: 195.182.2.2#53(195.182.2.2)
;; WHEN: Tue Oct 04 19:28:54 CEST 2016
;; MSG SIZE  rcvd: 109

Which is fine, if i'm not mistaking... I will have a look at the code tonight..

<!-- gh-comment-id:251456835 --> @hennedo commented on GitHub (Oct 4, 2016): Not that i'm aware of it.. When I manually try to query the ip, it shows the following ``` root@mail:/ dig 66.30.172.31.bl.spamcop.net ; <<>> DiG 9.10.3-P4-Ubuntu <<>> 66.30.172.31.bl.spamcop.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58068 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;66.30.172.31.bl.spamcop.net. IN A ;; AUTHORITY SECTION: bl.spamcop.net. 0 IN SOA bl.spamcop.net. hostmaster.admin.spamcop.net. 1475602051 3600 1800 3600 0 ;; Query time: 32 msec ;; SERVER: 195.182.2.2#53(195.182.2.2) ;; WHEN: Tue Oct 04 19:28:54 CEST 2016 ;; MSG SIZE rcvd: 109 ``` Which is fine, if i'm not mistaking... I will have a look at the code tonight..

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Oct 5, 2016):

Yes, it is fine. Which user runs the management command ?

<!-- gh-comment-id:251658521 --> @tonioo commented on GitHub (Oct 5, 2016): Yes, it is fine. Which user runs the management command ?

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Oct 5, 2016):

@dugite-code Have you tried to run the command as root ?

<!-- gh-comment-id:251659282 --> @tonioo commented on GitHub (Oct 5, 2016): @dugite-code Have you tried to run the command as root ?

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@hennedo commented on GitHub (Oct 5, 2016):

Found the error!
I had set a DNS Search Domain in my /etc/resolv.conf.
socket.gethostbyname always returned the IP address of my Webserver. The Searchdomain also is the hostname of my Webserver, so it seems, when socket.gethostbyname cannot resolve the Hostname, it takes the IP of the searchdomain.

Removing the Searchdomain fixed this.

(and the script crashes if no MX is present now... mhh did I break something? :D the try..catch, doesn't seem to catch the "dns.resolver.NXDOMAIN" error, which is raised if no MX is present...)

^- forget that, this seems to be already fixed in the current git master...

<!-- gh-comment-id:251711978 --> @hennedo commented on GitHub (Oct 5, 2016): Found the error! I had set a DNS Search Domain in my /etc/resolv.conf. socket.gethostbyname always returned the IP address of my Webserver. The Searchdomain also is the hostname of my Webserver, so it seems, when socket.gethostbyname cannot resolve the Hostname, it takes the IP of the searchdomain. Removing the Searchdomain fixed this. (and the script crashes if no MX is present now... mhh did I break something? :D the try..catch, doesn't seem to catch the "dns.resolver.NXDOMAIN" error, which is raised if no MX is present...) ^- forget that, this seems to be already fixed in the current git master...

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@dugite-code commented on GitHub (Oct 6, 2016):

@tonioo just gave it a shot running as root with no change * Edit just sent you my domain details via email

I also got the same result using dig

@henne- Unfortunately I don't have a dns search domain defined.

<!-- gh-comment-id:251847631 --> @dugite-code commented on GitHub (Oct 6, 2016): @tonioo just gave it a shot running as root with no change \* Edit just sent you my domain details via email I also got the same result using dig @henne- Unfortunately I don't have a dns search domain defined.

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@awein commented on GitHub (Oct 9, 2016):

This issue is caused by a missing domain entry in the resolv.conf file. An empty value might still cause issues in case your hostname is a subdomain (like mail.example.com).

@tonioo I suggest to append a . at the end of the hostname (which will force the name to be the full DNS name instead of a relative one)
(e.g. bl.spamcop.net. instead of bl.spamcop.net)

The workaround until then is to add the following line to the /etc/resolv.conf:

domain .

<!-- gh-comment-id:252473551 --> @awein commented on GitHub (Oct 9, 2016): This issue is caused by a missing domain entry in the `resolv.conf` file. An empty value might still cause issues in case your hostname is a subdomain (like mail.example.com). @tonioo I suggest to append a `.` at the end of the hostname (which will force the name to be the full DNS name instead of a relative one) (e.g. `bl.spamcop.net.` instead of `bl.spamcop.net`) The workaround until then is to add the following line to the `/etc/resolv.conf`: ``` domain . ```

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@dugite-code commented on GitHub (Oct 10, 2016):

I can confirm adding domain . to my /etc/resolv.conf fixed this issue for me. Thanks @awein

*edit: yes my domain was a subdomain like mail.mydomain.com

<!-- gh-comment-id:252527163 --> @dugite-code commented on GitHub (Oct 10, 2016): I can confirm adding `domain .` to my `/etc/resolv.conf` fixed this issue for me. Thanks @awein *edit: yes my domain was a subdomain like mail.mydomain.com

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@dugite-code commented on GitHub (Oct 10, 2016):

Incidentally dnsbl.njabl.org show's listed but according to dnsbl.info and vamsoft.com njabl.org has been shutdown and should probably be removed.

<!-- gh-comment-id:252527405 --> @dugite-code commented on GitHub (Oct 10, 2016): Incidentally dnsbl.njabl.org show's listed but according to [dnsbl.info](http://www.dnsbl.info/dnsbl-njabl-org.php) and [vamsoft.com](http://vamsoft.com/support/docs/knowledge-base/njabl-shutdown) njabl.org has been shutdown and should probably be removed.

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@ghost commented on GitHub (Oct 10, 2016):

Are you guys using some public DNS resolver? Because many DNSBL services are known to block or limit the queries from such resolvers.

I use my own DNS resolver (Unbound), so I only have nameserver 127.0.0.1 in resolv.conf file. And everything is fine here with many domains.

Just my 2 cents.

<!-- gh-comment-id:252527470 --> @ghost commented on GitHub (Oct 10, 2016): Are you guys using some public DNS resolver? Because many DNSBL services are known to block or limit the queries from such resolvers. I use my own DNS resolver (Unbound), so I only have `nameserver 127.0.0.1` in resolv.conf file. And everything is fine here with many domains. Just my 2 cents.

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@dugite-code commented on GitHub (Oct 10, 2016):

@csmk that's interesting to know. I'm using the google name servers because I honestly didn't think of changing the default settings.

My Digital Ocean droplet built using their Ubuntu 16.04.1 x64 image /etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8
nameserver 8.8.4.4

<!-- gh-comment-id:252527900 --> @dugite-code commented on GitHub (Oct 10, 2016): @csmk that's interesting to know. I'm using the google name servers because I honestly didn't think of changing the default settings. My Digital Ocean droplet built using their `Ubuntu 16.04.1 x64` image `/etc/resolv.conf` ``` # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 8.8.8.8 nameserver 8.8.4.4 ```

kerem commented 2026-02-27 11:13:36 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Oct 10, 2016):

@awein Thank you! I'll update the code.

<!-- gh-comment-id:252565513 --> @tonioo commented on GitHub (Oct 10, 2016): @awein Thank you! I'll update the code.

kerem commented 2026-02-27 11:13:37 +03:00

Author

Owner

Copy link

@gabsoftware commented on GitHub (Mar 29, 2022):

Are you guys using some public DNS resolver? Because many DNSBL services are known to block or limit the queries from such resolvers.

I use my own DNS resolver (Unbound), so I only have nameserver 127.0.0.1 in resolv.conf file. And everything is fine here with many domains.

Just my 2 cents.

That was it! zen.spamhaus.org refused DNS queries with public DNS resolvers, even the ECS enabled 9.9.9.11... Which should have worked according to their usage terms https://www.spamhaus.org/organization/dnsblusage/ .

<!-- gh-comment-id:1081851181 --> @gabsoftware commented on GitHub (Mar 29, 2022): > Are you guys using some public DNS resolver? Because many DNSBL services are known to block or limit the queries from such resolvers. > > I use my own DNS resolver (Unbound), so I only have `nameserver 127.0.0.1` in resolv.conf file. And everything is fine here with many domains. > > Just my 2 cents. That was it! zen.spamhaus.org refused DNS queries with public DNS resolvers, even the ECS enabled 9.9.9.11... Which should have worked according to their usage terms https://www.spamhaus.org/organization/dnsblusage/ .

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix/sievefilters-allow-email-in-rule-name

dependabot/npm_and_yarn/frontend/axios-1.15.0

translations_04c0b653215cb5fa48ab101eae1a1917_ja_JP

translations_5d93982e9fd6dab991db4faf93ce9ded_ja_JP

fix/login-issue-3995

fix/sievefilters-issues

add-vitepress-openapi

2974-dmarc-empty-email

2.3.x

updated-doc-2.3.0

feature/OIDC

delete-all-alarms

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_af_ZA

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ar

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ca

1.x

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_sk

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_tr

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_es_ES

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_uk

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_zh_CN

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_de_DE

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_da_DK

1.8.x

1.7.x

1.6.x

1.4.x

1.3.x

1.2.x

2.8.2

2.8.1

2.8.0

2.7.2

2.7.1

2.7.0

2.6.5

2.6.4

2.6.3

2.6.2

2.6.1

2.6.0

2.5.1

2.5.0

2.4.11

2.4.10

2.4.9

2.4.8

2.4.7

2.4.6

2.4.5

2.4.4

2.4.3

2.4.2

2.4.1

2.4.0

2.3.6

2.3.5

2.3.4

2.3.3

2.3.2

2.3.1

2.3.0

2.3.0-beta.4

2.3.0-beta.3

2.3.0-beta.2

2.3.0-beta.1

2.2.4

2.2.3

2.2.2

2.2.1

2.2.0

2.1.2

2.1.1

2.1.0

2.0.5

2.0.4

2.0.3

2.0.2

2.0.1

2.0.0

2.0.0-beta.3

2.0.0-beta.2

2.0.0-beta.1

1.17.0

1.16.1

1.16.0

1.15.0

1.14.0

1.13.1

1.13.0

1.12.2

1.12.1

1.12.0

1.11.1

1.11.0

1.10.7

1.10.6

1.10.5

1.10.4

1.10.3

1.10.2

1.10.1

1.10.0

1.9.1

1.9.0

1.8.3

1.8.2

1.8.1

1.8.0

1.7.4

1.7.3

1.7.2

1.7.1

1.7.0

1.6.3

1.6.2

1.6.1

1.6.0

1.5.3

1.5.2

1.5.1

1.5.0

1.4.5

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.5

1.3.4

1.2.2

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.2.0-rc2

1.2.0-rc1

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.1

1.0.0

0.9.5

0.9.4

0.9.3

0.9.2

0.9.1

0.9

0.8.8

0.8.7

0.8.6.1

0.8.6

0.8.5

0.8.4

0.8.3

0.8.3-rc1

0.8.2

0.8.1

0.8

0.8-rc2

0.8-rc1

0.7.2

0.7.1

0.7

0.6.1

0.6

0.5

0.3

0.2

0.1

Labels

Clear labels   

bug

  

bug

  

dependencies

  

design

  

documentation

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

feedback-needed

  

help-needed

  

help-needed

  

installer

  

invalid

  

looking-for-sponsors

  

modoboa-contacts

  

new-ui

  

new-ui

  

pr

  

pull-request

Mirrored from GitHub Pull Request

  

pyconfr

  

python

  

question

  

security

  

stale

  

webmail

  

wontfix

No labels

bug

bug

dependencies

design

documentation

duplicate

enhancement

enhancement

enhancement

feedback-needed

help-needed

help-needed

installer

invalid

looking-for-sponsors

modoboa-contacts

new-ui

new-ui

pr

pull-request

pyconfr

python

question

security

stale

webmail

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/modoboa-modoboa#797

No description provided.