his snippet should do it. If you are denying you may want to do this in the recipient ACL after you accept postmaster and abuse addresses. Watch which servers you reject, as some legitimate senders (airlines, banks, governments) have broken rDNS on their automated senders.

Verify reverse DNS lookup of the sender's host.

deny
message Reverse DNS verification failed
!verify = reverse_host_lookup
!hosts = ${if exists{CONFDIR/local_broken_dns_whitelist}\
{CONFDIR/local_broken_dns_whitelist} {}}

I find a lot of spambots give up quickly if they don't get a connection banner quickly enough. Including the following in a connect ACL may help. Disabling pipelining catches a number of spambots that don't behave well. If the delay is too long (over 30s) some legitimate servers will also give up.

Verify reverse DNS lookup of the sender's host.

Disable piplining and delay on failure.

warn
!hosts = ${if exists{CONFDIR/local_broken_dns_whitelist}\
{CONFDIR/local_broken_dns_whitelist} {}}
!verify = reverse_host_lookup
control = no_pipelining
delay = 10s