Hello,
I just noticed this particular behaviour as I was trying to track down
some issues as apparently my mail server was bouncing legitimate emails
from a few senders (including some freebsd mailing lists and also
postfix-users as I discovered afterwards). This is on the FreeBSD port
of Postfix 3.6.0.
Here's snippet from the maillog:
May 29 04:31:47 mail-server postfix/postscreen[57886]: CONNECT from
[remote-mail-server-ip]:51120 to [my-mail-server-ip]:25
May 29 04:31:47 mail-server postfix/dnsblog[59708]: addr
remote-mail-server-ip listed by domain zen.spamhaus.org as 127.255.255.254
May 29 04:31:53 mail-server postfix/postscreen[57886]: DNSBL rank 2 for
[remote-mail-server-ip]:51120
May 29 04:31:53 mail-server postfix/tlsproxy[60045]: CONNECT from
[remote-mail-server-ip]:51120
May 29 04:31:53 mail-server postfix/tlsproxy[60045]: Anonymous TLS
connection established from [remote-mail-server-ip]:51120: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256
May 29 04:31:53 mail-server postfix/postscreen[57886]: NOQUEUE: reject:
RCPT from [remote-mail-server-ip]:51120: 550 5.7.1 Service unavailable;
client [remote-mail-server-ip] blocked using zen.spamhaus.org;
[...redacted...]
Based on zen.spamhaus.org's documentation 127.255.255.25[245] are
actually error codes and not indicators of allow/denylisting - in this
case, their error is that I was querying via a public resolver, see link
here: https://www.spamhaus.org/faq/section/DNSBL%20Usage#200
The fix/workaround in my case is relatively easy as I mostly need to
update the configuration for my local DNS server. That said, I'm not
sure if postscreen should treat this kind of error as a denylisted server?
With best regards,
Timo