If you run your own mail server, you may have run into a frustrating problem:
legitimate senders getting blocked by Spamhaus, causing “554 5.7.1 Service unavailable; Client host blocked using zen.spamhaus.org” errors.
In this guide, I’ll show you exactly how I fixed this on my Postfix + Amavis + SpamAssassin mail stack — and switched to Barracuda DNSBL for better control.
📌 Background
On my server, I run:
- Postfix for SMTP
- Amavis + SpamAssassin for scanning
- Dovecot for delivery
Everything works fine — until I noticed some legit mails from Yandex were rejected with this error:
554 5.7.1 Service unavailable; Client host blocked using zen.spamhaus.org; Error: open resolver;
https://check.spamhaus.org/...
🔍 Root Cause
I checked:
- Mail headers — to confirm that valid mails get through if the sending IP is not on Spamhaus.
- Postfix config (
main.cf) — and found these lines:smtpd_recipient_restrictions = ... reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.netThis tells Postfix to check connecting IPs with Spamhaus at SMTP time — and reject them outright.
So, even before SpamAssassin or Amavis see the mail, Postfix blocks it at the gate.
🗂️ Why is this bad?
- False positives: big providers like Yandex sometimes have dynamic IPs hit blacklists temporarily.
- No quarantine: SMTP-level RBL blocking means the mail never enters your server → no chance to manually review.
✅ How I Fixed It
✅ 1️⃣ Remove Spamhaus from Postfix
Edit main.cf:
nano /etc/postfix/main.cf
Find:
smtpd_recipient_restrictions =
...
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net
👉 Remove these lines or comment them.
Keep good basics like:
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10031,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain
Then apply:
postfix reload
✅ 2️⃣ Keep DNSBL in SpamAssassin instead
Postfix won’t block outright — instead, SpamAssassin scores it and flags suspicious mails as spam.
SpamAssassin’s DNSBL config lives in:
/usr/share/spamassassin/20_dnsbl_tests.cf
✅ 3️⃣ Replace Spamhaus with Barracuda
Edit:
nano /usr/share/spamassassin/20_dnsbl_tests.cf
Look for:
uridnsbl URIBL_DBL_SPAM ...
rbl RCVD_IN_ZEN ...
rbl RCVD_IN_XBL ...
rbl RCVD_IN_PBL ...
👉 Comment out or remove Spamhaus blocks:
# rbl RCVD_IN_ZEN zen.spamhaus.org.
# rbl RCVD_IN_XBL xbl.spamhaus.org.
# rbl RCVD_IN_PBL pbl.spamhaus.org.
👉 Add Barracuda:
rbl RCVD_IN_BRBL lastexternal.barracudacentral.org.
describe RCVD_IN_BRBL Received via a host listed in the Barracuda BRBL
tflags RCVD_IN_BRBL net
Save and restart SpamAssassin (or Amavis, if it loads SpamAssassin):
systemctl restart spamassassin
# OR
systemctl restart amavisd
🗂️ Done!
- ✅ Postfix no longer blocks mails at SMTP time.
- ✅ SpamAssassin scores spam internally, so you can quarantine or mark it.
- ✅ Barracuda BRBL checks replace Spamhaus.
⚡ Key Benefits
✅ Legit senders no longer bounce.
✅ You control how spam is handled — block, quarantine, or deliver with [SPAM].
✅ Easy to tune, easy to change DNSBL later.
🧩 Sample Final Postfix main.cf Snippet
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10031,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain
🔑 Final Words
💡 RBLs are powerful — but use them carefully!
- Postfix RBL = immediate hard rejection.
- SpamAssassin RBL = smart scoring & quarantine.
Switch wisely for peace of mind.
✅ Tested on:
- Postfix 3.x
- SpamAssassin 3.x
- Amavis + Dovecot
- Rocky Linux
