Though not currently bouncing my maillog had this message (sanitized because of Google):
NOQUEUE: reject: RCPT from avasout-peh-001.plus.net[212.159.14.17]: 554 5.7.1 Service unavailable; Client host [212.159.14.17] blocked using zen.spamhaus.org; Error: open resolver; https://www.spamhaus.org/returnc/pub/172.69.133.38; from=<someper...@notme99.plus.com> to=<m...@mydomain.com> proto=ESMTP helo=<avasout-peh-001.plus.net> Reading the link provided: https://www.spamhaus.org/returnc/pub/172.69.133.38 Then ultimately reaching: https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/PublicMirrors/MTAs/020-Postfix.html#configuration The suggested set up is: smtpd_recipient_restrictions = ... reject_rbl_client zen.spamhaus.org=127.0.0.[2..11] reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99] reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99] reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99] warn_if_reject reject_rbl_client zen.spamhaus.org=127.255.255.[1..255] ... Looking at warn_if_reject on https://www.postfix.org/postconf.5.html this seems like a bad idea since it won't reject the spam. Googling "zen.spamhaus.org=127.0.0.[2..11]" indicates a change was made in 2021 and just follow instructions. No real explanation. I'm always hesitant to do something I don't fully understand (certs and regex excluded). Comments?