On 2022-06-24 10:16 +02, Alexandre Ratchov wrote:
> I noticed that most of the spam that spamd(8) doesn't catch comes from
> machines with no valid FCrDNS and that all legitimate mails used valid
> FCrDNS.
>
> Certain [1] recommend to return 550 in case of invalid FCrDNS, but if
> I understand correctly, 550 is a permanent error. So this may block
> legitimate mails in case of temporary DNS lookup failures, which
> happens from time to time.
>
> So I'm tempted to use 421 instead of 550, as follows:
>
> filter check_rdns phase connect match !rdns \
> disconnect "421 DNS lookup failure, please try again later."
> filter check_fcrdns phase connect match !fcrdns \
> disconnect "421 No valid FCrDNS, please try again later."
>
This seems like a reasonable idea, I will probably implement that in a
week or two.
> A quick test shows that this discards a lot of the spam, but I'm not
> 100% sure about whether this could hurt legitimate mail, hence my
> question here.
>
The only thing I can think off is that legitimate mail where the sender
has misconfigured their DNS, they will be informed about this
later. Something, something mail delivery delayed by 4 hours, still
trying.
I looked at the code and assuming I found the right places it looks like
during lookup in smtp_getaddrinfo_cb() it distinguishes 3 DNS cases:
s->fcrdns = 0: reverse doesn't exist or doesn't match
s->fcrdns = -1: lookup failed, maybe because of timeout
s->fcrdns = 1: everything is good
but then in filter_check_fcrdns() this is reduced by
ret = fcrdns == 1
so we can't distinguish between 0 and -1.
I'd say it would be sensible to permfail for 0 and tempfail for -1.
I don't think this can be easily shoehorned into the filter framework?
> Am I missing something? Anyone is successfully using this approach?
>
> [1]
> https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
>
--
I'm not entirely sure you are real.