spamhaus sbl error 3.64.1.98 — blocked using sbl.spamhaus.org; Error: open resolver

For I don't know how long — maybe a decade — I've had the following in my postfix configuration:

smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client blackholes.easynet.nl

Recently, I've had users occasionally get bounces, where this is what I see on the server:

Nov 14 03:23:33 ip-10-0-200-150 postfix/smtpd[25205]: connect from mail-cwlgbr01
on2134.outbound.protection.outlook.com[40.107.11.134]
Nov 14 03:23:33 ip-10-0-200-150 postfix/smtpd[25205]: Anonymous TLS connection e
stablished from mail-cwlgbr01on2134.outbound.protection.outlook.com[40.107.11.13
4]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 14 03:23:33 ip-10-0-200-150 postfix/smtpd[25205]: NOQUEUE: reject: RCPT from mail-cwlgbr01on2134.outbound.protection.outlook.com[40.107.11.134]: 554 5.7.1 Service unavailable; Client host [40.107.11.134] blocked using sbl.spamhaus.org; Error: open resolver; https://www.spamhaus.org/returnc/pub/3.64.1.98; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<GBR01-CWL-obe.outbound.protection.outlook.com>

But then 2 minutes later

Nov 14 03:25:43 ip-10-0-200-150 postfix/smtpd[25205]: connect from mail-cwlgbr01
on2125.outbound.protection.outlook.com[40.107.11.125]
Nov 14 03:25:44 ip-10-0-200-150 postfix/smtpd[25205]: Anonymous TLS connection e
stablished from mail-cwlgbr01on2125.outbound.protection.outlook.com[40.107.11.12
5]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 14 03:25:44 ip-10-0-200-150 postfix/smtpd[25205]: 4E7A780053: client=mail-cw
lgbr01on2125.outbound.protection.outlook.com[40.107.11.125]
Nov 14 03:25:44 ip-10-0-200-150 postfix/cleanup[25245]: 4E7A780053: message-id=<[email protected]>
Nov 14 03:25:44 ip-10-0-200-150 mimedefang.pl[23843]: 4E7A780053: MDLOG,4E7A780053,mail_in,,,<[email protected]>,<[email protected]>,FW: Undeliverable: FW: The Philosopher's Trading Experiment: Peter Thiel and the Big Short That Never Was
Nov 14 03:25:44 ip-10-0-200-150 mimedefang[20720]: 4E7A780053: Filter time is 21ms
Nov 14 03:25:44 ip-10-0-200-150 opendkim[11822]: 4E7A780053: mail-cwlgbr01on2125.outbound.protection.outlook.com [40.107.11.125] not internal
Nov 14 03:25:44 ip-10-0-200-150 opendkim[11822]: 4E7A780053: not authenticated
Nov 14 03:25:44 ip-10-0-200-150 opendkim[11822]: 4E7A780053: failed to parse authentication-results: header field
Nov 14 03:25:44 ip-10-0-200-150 opendkim[11822]: 4E7A780053: DKIM verification successful
Nov 14 03:25:44 ip-10-0-200-150 postfix/qmgr[28094]: 4E7A780053: from=<[email protected]>, size=177480, nrcpt=1 (queue active)
Nov 14 03:25:44 ip-10-0-200-150 amavis[22145]: (22145-03) ESMTP [127.0.0.1]:10024 /var/spool/amavisd/tmp/amavis-20221113T221855-22145-4K_9q1uQ: <[email protected]> -> <[email protected]> SIZE=177480 Received: from ip-10-0-200-150.eu-central-1.compute.internal ([127.0.0.1]) by localhost (my.postfixserver.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <[email protected]>; Mon, 14 Nov 2022 03:25:44 +0000 (UTC)

The linked SpamHaus error page does not make me think this should be an intermittent problem.

The top-level question is, how do I fix this? The mail server is running on an AWS EC2 instance, with no special DNS configuration on the server. Is it possible that AWS is doing some sort of round-robin with the DNS queries, and some of the servers they're querying are now public resolvers?

Digging more deeply, I'm wondering if I should be doing this check at all, or if it's now outdated. The same linked error page tries to talk me into using SpamHaus DQS. This ServerFault question about dbl.spamhaus.org points to documentation that says you shouldn't be doing this in the mail server at all, if you're doing fewer than 200k emails per day, and instead should do it in SpamAssassin, but I can't find a similar warning/suggestion in the sbl documentation. Instead, the sbl documentation seems to want people to stop using sbl standalone, and instead switch to the integrated Zen DNSBL.

On the one hand, I'm very much of the "if it ain't broke, don't fix it" school, which is why that line has been in my Postfix configuration approximately forever. But on the other hand, it now seems like it's broken, and it seems like a lot changed in the 2017–2019 period, and isn't well documented now (all the Postfix/AmavisD virtual mail "how-to"s seem either to have been written before this period, or to just say "Amavis runs SpamAssassin, no special configuration required", but with no reference to DNSBLs.

How should I be doing this in the modern world, for a low-volume mail server?

Stop permanently (554) rejecting mail because of transient errors (should be 4XX), right now. Think about further changes if and when you expect they are worth it.

querying public resolvers

The phrasing refers to more than a few big public services. They like to know who is probing them to learn about their data sources, and they like to get larger users to pay them. They do not care whether that is something truly public, or just something Amazon has setup for you and everyone else in the data centre. If it makes your traffic difficult to distinguish from that other servers, they would rather see DNS traffic directly from your server, with a clear rDNS name attached to it (usually: through a recursive server running on the mail server itself).

The Spamhaus documentation recommends to not block at the SMTP level

to utilize their auto-learning features

because that gets you better results. If you are not using such features right now, I would recommend you do not focus too much on the performance or volume numbers.

If your volume is low, view it as a cost/benefit trade-off between user lifetime wasted on spam versus admin lifetime expended on configuring, maintaining and troubleshooting. SpamAssassin embodies certain historically Perl-associated software design choices. And Rspamd, well, its a very complex parser written with high performance in mind, in a highly memory-unsafe language. They are free to use, but certainly not as in beer.

"how-to"s seem either to have been written before this period, or to just say "Amavis runs SpamAssassin, no special configuration required"

True, however: there is some very recent documentation in the Spamhaus-provided integrations for SpamAssassin and RSpamd. Note that those do not work with the public mirrors. They are queried by sending a key uniquely identifying your account - which you have to manually request, then copy the key. Thus, they can check whether you, personally, exceed what they offer for free. Which will also deal with the problem you were initially facing.