554 Transaction Failed — Blacklisted IP
증상
- All outbound emails bounce with "554 5.7.1 Service unavailable — client host [1.2.3.4] blocked"
- The rejection affects every recipient, not just one domain
- Checking your IP on MXToolbox Blacklist or multirbl.valli.org shows one or more positive hits
- Legitimate email (password resets, invoices) bounces alongside bulk sends
- Postfix log: `NOQUEUE: reject: RCPT from unknown[1.2.3.4]: 554 5.7.1 Service unavailable; Client host [1.2.3.4] blocked using Spamhaus.org`
- The rejection affects every recipient, not just one domain
- Checking your IP on MXToolbox Blacklist or multirbl.valli.org shows one or more positive hits
- Legitimate email (password resets, invoices) bounces alongside bulk sends
- Postfix log: `NOQUEUE: reject: RCPT from unknown[1.2.3.4]: 554 5.7.1 Service unavailable; Client host [1.2.3.4] blocked using Spamhaus.org`
근본 원인
- IP address listed on DNS-based blacklists (DNSBL) due to past spam originating from it
- Compromised server account or web application sending spam without the admin's knowledge
- Open relay configuration allowing external senders to route mail through your server
- Shared hosting IP tainted by another tenant on the same server
- Sudden spike in sending volume (e.g., marketing blast) triggering automatic blacklisting
진단
**Step 1 — Identify your sending IP**
```bash
# On your mail server
curl -s https://ifconfig.me
# Or check Postfix outbound interface
postconf -n | grep smtp_bind_address
```
**Step 2 — Check against major DNSBLs**
```bash
# Manual DNSBL lookup (replace 4.3.2.1 with reversed octets of your IP)
# For IP 1.2.3.4 the reversed form is 4.3.2.1
dig 4.3.2.1.zen.spamhaus.org
dig 4.3.2.1.bl.spamcop.net
dig 4.3.2.1.b.barracudacentral.org
# A response of 127.0.0.x means the IP is listed
# NXDOMAIN means it is not listed on that DNSBL
```
Use https://mxtoolbox.com/blacklists.aspx for a dashboard check across 100+ lists.
**Step 3 — Identify the source of spam**
```bash
# Check Postfix logs for unusual sending patterns
grep 'status=sent' /var/log/mail.log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
# Look for authentication from unexpected IPs
grep 'sasl_username' /var/log/mail.log | awk '{print $NF, $(NF-2)}' | sort | uniq -c | sort -rn
```
**Step 4 — Check for open relay**
```bash
# Test if your server relays for arbitrary senders
telnet mail.yourdomain.com 25
EHLO test.example.org
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
# A 554 Relay access denied response is correct — open relay if it accepts
```
```bash
# On your mail server
curl -s https://ifconfig.me
# Or check Postfix outbound interface
postconf -n | grep smtp_bind_address
```
**Step 2 — Check against major DNSBLs**
```bash
# Manual DNSBL lookup (replace 4.3.2.1 with reversed octets of your IP)
# For IP 1.2.3.4 the reversed form is 4.3.2.1
dig 4.3.2.1.zen.spamhaus.org
dig 4.3.2.1.bl.spamcop.net
dig 4.3.2.1.b.barracudacentral.org
# A response of 127.0.0.x means the IP is listed
# NXDOMAIN means it is not listed on that DNSBL
```
Use https://mxtoolbox.com/blacklists.aspx for a dashboard check across 100+ lists.
**Step 3 — Identify the source of spam**
```bash
# Check Postfix logs for unusual sending patterns
grep 'status=sent' /var/log/mail.log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
# Look for authentication from unexpected IPs
grep 'sasl_username' /var/log/mail.log | awk '{print $NF, $(NF-2)}' | sort | uniq -c | sort -rn
```
**Step 4 — Check for open relay**
```bash
# Test if your server relays for arbitrary senders
telnet mail.yourdomain.com 25
EHLO test.example.org
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
# A 554 Relay access denied response is correct — open relay if it accepts
```
해결
**Fix 1 — Secure the server and stop the spam**
Before requesting delisting, eliminate the spam source:
```bash
# Reset all email account passwords
# Scan web apps for PHP mailer shells
find /var/www -name '*.php' -exec grep -l 'mail(' {} \;
# Block outbound SMTP from web user (www-data) if not needed
sudo iptables -A OUTPUT -m owner --uid-owner www-data -p tcp --dport 25 -j DROP
```
**Fix 2 — Request delisting from each blacklist**
Each DNSBL has its own removal process:
- **Spamhaus**: https://www.spamhaus.org/lookup/ → click 'Request Removal'
- **Barracuda**: https://www.barracudacentral.org/rbl/removal-request
- **SpamCop**: Automatic — expires after inactivity (usually 24–48 hours)
- **Microsoft**: https://sender.office.com (for O365 rejections)
**Fix 3 — Move to a clean sending IP**
```bash
# Add a new outbound IP to your server
# Update Postfix to use the new IP for outbound
# /etc/postfix/main.cf
smtp_bind_address = 5.6.7.8 # your new clean IP
sudo systemctl reload postfix
```
**Fix 4 — Use a reputable ESP for bulk/transactional email**
Route email through Amazon SES, SendGrid, or Mailgun to leverage their pre-warmed, monitored IP pools and avoid direct IP reputation exposure.
Before requesting delisting, eliminate the spam source:
```bash
# Reset all email account passwords
# Scan web apps for PHP mailer shells
find /var/www -name '*.php' -exec grep -l 'mail(' {} \;
# Block outbound SMTP from web user (www-data) if not needed
sudo iptables -A OUTPUT -m owner --uid-owner www-data -p tcp --dport 25 -j DROP
```
**Fix 2 — Request delisting from each blacklist**
Each DNSBL has its own removal process:
- **Spamhaus**: https://www.spamhaus.org/lookup/ → click 'Request Removal'
- **Barracuda**: https://www.barracudacentral.org/rbl/removal-request
- **SpamCop**: Automatic — expires after inactivity (usually 24–48 hours)
- **Microsoft**: https://sender.office.com (for O365 rejections)
**Fix 3 — Move to a clean sending IP**
```bash
# Add a new outbound IP to your server
# Update Postfix to use the new IP for outbound
# /etc/postfix/main.cf
smtp_bind_address = 5.6.7.8 # your new clean IP
sudo systemctl reload postfix
```
**Fix 4 — Use a reputable ESP for bulk/transactional email**
Route email through Amazon SES, SendGrid, or Mailgun to leverage their pre-warmed, monitored IP pools and avoid direct IP reputation exposure.
예방
- Monitor your sending IP daily against major DNSBLs using automated tools (MXToolbox, HetrixTools) with alerts
- Never configure your server as an open relay — always require SMTP AUTH for outbound relay
- Rate-limit outbound email per user account to catch compromised credentials early
- Implement SPF, DKIM, and DMARC to authenticate your domain's mail
- Use separate sending IPs for transactional vs bulk email so a bulk sending issue doesn't block transactional messages
- Never configure your server as an open relay — always require SMTP AUTH for outbound relay
- Rate-limit outbound email per user account to catch compromised credentials early
- Implement SPF, DKIM, and DMARC to authenticate your domain's mail
- Use separate sending IPs for transactional vs bulk email so a bulk sending issue doesn't block transactional messages