All mails rejected by Spamhaus; Error: open resolver

All mails rejected by Spamhaus; Error: open resolver

Today suddenly all incoming mails ware rejected by my mailserver. People contacted me with information, that they received undelivered notification with status of:

  5.7.1 Service unavailable; Client host [SENDER IP] blocked using

    sbl-xbl.spamhaus.org; Error: open resolver;

Now what the heck is open resolver? At first I thought that my perfectly set up MTA suddenly became open relay. Or was listed at blacklists - hence spamhaus. But after reading carefully log on my server, this was something other than standard rejection log:

Sep  7 17:05:21 claptrap postfix/smtpd[4285]: NOQUEUE: reject: RCPT from mail.netbsd.org[199.233.217.200]: 554 5.7.1 Service unavailable; Client host [199.233.217.200] blocked using sbl-xbl.spamhaus.org; Error: open resolver; https://www.spamhaus.org/returnc/pub/162.158.101.79; from=<bounces-netbsd-users-owner-***@NetBSD.org> to=<***@***> proto=ESMTP helo=<mail.netbsd.org>
Sep  7 17:05:21 claptrap postfix/smtpd[4285]: using backwards-compatible default setting smtpd_relay_before_recipient_restrictions=no to reject recipient "***@***" from client "mail.netbsd.org[199.233.217.200]"
Sep  7 17:05:21 claptrap postfix/smtpd[4285]: disconnect from mail.netbsd.org[199.233.217.200] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6
Example of log

After some research it is now clear, that years free spamhaus service for rejecting spam IP and compromised hosts is no longer free. In fact they dropped all requests to their services like sbl-xbl.spamhaus.org or zen.spamhaus.org made from public DNS servers like Cloudflare. Instead you need to register for API Key here: https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/ and it should work for non commercial MTAs. If using it comercially they can issue a quote for subscription. Querying spamhaus is then made via API.spamhaus.org.

As they wrote you can register or ditch spamhaus from MTA config. I now choose option 2. Despite it is written that only cloudflare users are blocked, I don't want to switch to Google or other public DNS as Cloudflare are working the best for me.