I noticed that most of the spam that spamd(8) doesn't catch comes from
machines with no valid FCrDNS and that all legitimate mails used valid
FCrDNS.
Certain [1] recommend to return 550 in case of invalid FCrDNS, but if
I understand correctly, 550 is a permanent error. So this may block
legitimate mails in case of temporary DNS lookup failures, which
happens from time to time.
So I'm tempted to use 421 instead of 550, as follows:
filter check_rdns phase connect match !rdns \
disconnect "421 DNS lookup failure, please try again later."
filter check_fcrdns phase connect match !fcrdns \
disconnect "421 No valid FCrDNS, please try again later."
A quick test shows that this discards a lot of the spam, but I'm not
100% sure about whether this could hurt legitimate mail, hence my
question here.
Am I missing something? Anyone is successfully using this approach?
[1]
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
