On 2022-06-24 10:16 +02, Alexandre Ratchov <a...@caoua.org> wrote: > I noticed that most of the spam that spamd(8) doesn't catch comes from > machines with no valid FCrDNS and that all legitimate mails used valid > FCrDNS. > > Certain [1] recommend to return 550 in case of invalid FCrDNS, but if > I understand correctly, 550 is a permanent error. So this may block > legitimate mails in case of temporary DNS lookup failures, which > happens from time to time. > > So I'm tempted to use 421 instead of 550, as follows: > > filter check_rdns phase connect match !rdns \ > disconnect "421 DNS lookup failure, please try again later." > filter check_fcrdns phase connect match !fcrdns \ > disconnect "421 No valid FCrDNS, please try again later." >
This seems like a reasonable idea, I will probably implement that in a week or two. > A quick test shows that this discards a lot of the spam, but I'm not > 100% sure about whether this could hurt legitimate mail, hence my > question here. > The only thing I can think off is that legitimate mail where the sender has misconfigured their DNS, they will be informed about this later. Something, something mail delivery delayed by 4 hours, still trying. I looked at the code and assuming I found the right places it looks like during lookup in smtp_getaddrinfo_cb() it distinguishes 3 DNS cases: s->fcrdns = 0: reverse doesn't exist or doesn't match s->fcrdns = -1: lookup failed, maybe because of timeout s->fcrdns = 1: everything is good but then in filter_check_fcrdns() this is reduced by ret = fcrdns == 1 so we can't distinguish between 0 and -1. I'd say it would be sensible to permfail for 0 and tempfail for -1. I don't think this can be easily shoehorned into the filter framework? > Am I missing something? Anyone is successfully using this approach? > > [1] > https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/ > -- I'm not entirely sure you are real.
