Well, here's the code I use in filter_sender in MD to check for a validMX. The module needs a public release with some updates and doesn't work great with IPv6 but the code is solid and been in use for a long time at my firm.
#IF NOT A BOUNCE, THEN CHECK VALID MX RECORDS if ($sender ne '<>') { #CHECK IF SENDER HAS VALID MX RECORDS ($rv, $reason) = &check_valid_mx($sender); #IF WE GOT A RETURN VALUE OF 1 CHECK WHAT IT IS if ($rv) { #RESOLUTION ISSUE? LOG ERROR AND CONTINUE AS A SAFETY VALVE if ($reason =~ /Resolution Problem/i) { md_syslog('error', "ERROR: check valid MX Resolution Problem: $sender - $reason."); } else { #OTHERWISE PASSED CHECK VALID MX md_syslog('info', "DEBUG: Passed check valid MX: $sender"); } } else { #FAILED CHECK VALID MX md_syslog('warning', "DEBUG: Rejecting $sender - Invalid MX: $reason."); return ('REJECT', "$QueueID: Sorry, mail not accepted. $sender has an invalid MX record: $reason."); } } For the check against port 25, Diane's caveat aside, look at md_check_against_smtp_server which you can run in filter_recipient. I can share how we use a Redis backend to store the data and our routines. The validmx check hits about 90% of the issues and the cached check really helps us shutdown DDoS and dictionary attacks. Regards, KAM -- Kevin A. McGrail Asst. Treasurer & VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Mon, Apr 9, 2018 at 10:58 AM, Dianne Skoll <d...@roaringpenguin.com> wrote: > On Mon, 9 Apr 2018 09:56:20 -0500 > David Jones <djo...@ena.com> wrote: > > > On 04/09/2018 09:44 AM, Reindl Harald wrote: > > > you simply don't want connect to every innocent MX which inbound > > > mail is forged because for the sake of god you are attacking the > > > victim of spoofed mails and you are easily part of a distributed > > > DOS when your few connections back are only a small part > > Also, if an innocent domain's MX server just happens to be down > when you check, you could get a FP. > > Checking for the existence of a sane MX record is good practice. > I'm not so sure about actually trying to connect to said MX, even if > you take basic precautions to minimize connections. > > Regards, > > Dianne. >