Question

Spamhaus Blacklisting

I recently set up a new server, but the IP it was given was blacklisted previously (likely due to misuse). I already went to spamhaus and it removed it there, but I am still getting the error from Google.

Show comments

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

When you spin up a new droplet with the purposes of making an MTA for your person/business and/or migrate a known working instance, check the newly spun up droplet’s external IP at spamhaus.org to see if it is blacklisted and of course also check your postfix/exim4 logs when testing outgoing to Google email addresses. If you get this error “The IP you’re using to send mail is not authorized to 550-5.7.1 send email directly to our servers. Please use the SMTP relay at your 550-5.7.1 service provider instead. Learn more at 550 5.7.1 ht tp://support.google.com/mail/bi/answer.py?answer=10336”, it says that because DO reuses IPs that were previously abused and so they are still balcklisted on spamhaus, which Google uses (and Yahoo). Instead of whitelisting the IP on spamhaus, just snapshot your image, delete the original, then spin up a new one importing the snapshot. When that’s done, check that the newly issued IP is not blacklisted and of course also test your MTA to see if the error is gone. In my case, I had to spin up two new ones to finally get issued a non-blacklisted IP. The error from Google is very broad and the website is no more specific, but if you also test sending to a Yahoo email, the logs will state explicitly that its because of the spamhaus listing you are being rejected. Here is a SE poster facing the same issue: ht tps://stackoverflow.com/questions/15771932/the-ip-youre-using-to-send-mail-is-not-authorized-to-send-email-directly-to-our#20235665 - Hope this helps others like me who use send only MTAs / relays for small businesses and need them to work when you make them, not 3-5 months later!

alexdo
Site Moderator
Site Moderator badge
August 14, 2022

Hello @oemb1905

Can you share the error message that you’re receiving from Google?

Keep in mind that Spamhaus’s database contains a lot of lists and even if your IP address is listed in one of those lists, this does not guarantee that you’ll have issues with the mail delivery. Spamhaus contains lists that charge fees to delist IPs and legit providers are likely not to check against their database.

You should aim to keep your droplet’s IP unlisted from any possible blocklist.

Regards

(Solution/answer) -> The error that Google sends back when your external IP is blacklisted is as follows: “The IP you’re using to send mail is not authorized to 550-5.7.1 send email directly to our servers. Please use the SMTP relay at your 550-5.7.1 service provider instead. Learn more at 550 5.7.1 http://support.google.com/mail/bin/answer.py?answer=10336 b4si2095585vdw.57 - gsmtp. Connection closed by foreign host.” <- tail -f /var/log/mail.log A little basic Google searching leads you to this post: https://stackoverflow.com/questions/15771932/the-ip-youre-using-to-send-mail-is-not-authorized-to-send-email-directly-to-our where a poster suggested it was due to the Spamhaus block. After seeing this, I tested sending to a yahoo.com address, and the error from Yahoo explicitly stated that this IP was blacklisted in Spamhaus, thus confirming the reasoning on this post. And once I saw the earlier and ignored DO posts on this matter by other users, I decided to snapshot and spin up new droplets (with new ips); sure enough the second one was also blocked, but the third one I spun up was not, and everything on the postfix MTA worked immediately from that point forward (no change in setup, just the IP changed is all). In short, DO is reusing old IPs from their block that have been abused in the past, and when you inherit those on a new spin up, you inherit the block too. Spamhaus does allow you to remove the blacklist (https://check.spamhaus.org/) if you run your own email server, however, this is not viable because it takes weeks/months rendering it pointless for a production machine solution. The only solution is to snapshot/rebuild, otherwise folks will be waiting weeks (or possibly indefinitely) for email providers to update their blacklists and remove the false positive. Hopefully, this post/answer finds other frustrated DO users and helps them solve the problem in < 5 minutes like I did! Best, oemb1905

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel