that may be the mistake, just reject temporary there

many bots don't retry but if there is no connect the may fall
back on the primary MX in the same second, the other benefit of the temp
reject is that the bot may think this is greylisting and come back on
the primary 10 or 15 minutes later

well, within that 10 minutes they chances to be in RBLs is high
* postscreen
* two ip-addressess
* backup MX for the second
* postscreen_whitelist_interfaces = !<backup-mx-ip>, static:all

the stats below are unique IP's

most bots starting on the backup-MX never come back
the ones which come back are mostly catched by RBL's

some big legit senders start also on the backup, hence temp-reject
because they come back with proper behavior later on the primary

Default-MX: 31400
Honeypot-MX: 16906
Honeypot-Only: 14062

On Mon, 20 Oct 2014 08:18:51 -0400
You could have no DNS record for your server. It wouldn't matter. Many
botnets don't bother with DNS. They stupidly scan the ip space
sequentially for mail servers. The best thing to do in such a case is
to drop connections from their ip blocks.

We ran nolisting set up for a number of years. It worked about as well
as reverse DNS checks for eliminating spam, without the CPU overhead
of reverse DNS check. The problem is, this does nothing about spammers
who decide to run a real mailqueue, or abuse someone else's mail server,
which is increasingly the case.

Eventually we implemented a real grey lister, sqlgrey with Postfix.

The results were worthwhile. The email delivered by our secondary MX fell
from
about 5000 per day down to 200 or so. It was so alarming I was afraid we
would hear from users on missing mail, but it really was all spam.

Our solution is Postfix with postscreen (eliminates zombies that don't
behave like a mail server), sqlgrey (eliminates systems that don't queue)
amavis with SA and clamav, RBLs like spamhaus, plus SANE security
add ons for clamav.

When I eliminated the nolisting config with all the above in place,
spam and email delivery stats did not increase.

While running with nolisting I think we encountered two sites
running home made mail software which didn't fail over to
the next MX and called us. Once we explained
why their software failed, they fixed it on their end.

I did some experimentation a few weeks ago and found that a nolisting
style "dead first MX" didn't make anywhere near as much an impact as I
hoped, while in some cases it did cause delays (although only a few lost
messages that we could find, and all from small home-grown systems that
really deserved to feed to a proper mail relay)

What does seem to still work is having a secondary/last dummy MX that
answers with 4xx, at least at this point. Based on my (definitely
unscientific) testing, I believe that dumb ratware hits the lower
priority (highest numbered) MX, smarter ratware either starts at the top
or hits them all.

For this purpose, I'm currently using junkemailfilter.com's freebie:

MX 997 mxbackup1.junkemailfilter.com.
MX 998 mxbackup2.junkemailfilter.com.

mxbackup1 is a free backup-MX service, mxbackup2 is an "always fails"
final MX. It's very clever, before accepting mail, it probes your
server. If your server is up and returns a 2xx or 4xx, it'll return a
4xx (so it won't accept mail if your server is working, thereby avoiding
the situation where a backup mail provider opens a hole in your finely
tuned filters), or if your server returns a 5xx, it will pass on the 5xx.

If your server doesn't respond, they'll 200 and accept the mail, then
forward it to your higher-numbered MX when you return.

It's a really nice package, plus they use the data they collect to
improve their service, so it's a win-win. Obviously read their policies
and ensure you're okay with part of your mail stream passing through a
third party.