1

I'm using postfix as mail transfer agent on my mailgateway to send and receive emails.

Because I'm communicating with sensitive information I'm using the tls options to validate the receivers mx. He changed his certificate so my tls option in /etc/postfix/tls_policy

(domain.de fingerprint match=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX)

was wrong and the mail was 3 days in my mail queue before we noticed that the mail was stuck. Is there an option to bounce "TLS mails" hard, if those options cannot be validated?

I searched the postfix config documentation but did not find the wanted solution.

Adam Miklosi
  • 159
  • 1
  • 2
  • 11
Nico
  • 35
  • 4
  • A thought out of the box: do you really require fingerprint checking? Shouldn't it be enough to require TLS connections with valid certificates? – Gerald Schneider Oct 17 '18 at 12:10
  • @GeraldSchneider, yes i need it because if someone conquers the CA he is able to generate valid certificates. Now he can fake the DNS MX answer and the mails get delivered to the attacker. Checking for the right (approved) fingerprint is the highest security. But thanks. – Nico Oct 17 '18 at 12:15

1 Answers1

0

I don't know if you can hard bounce mails in that circumstance, but you can certainly turn on delay notifications by setting delay_warning_time.

Back in prehistory, when everyone ran sendmail, it would notify the sender if a mail couldn't be delivered after four hours (by default). Postfix has a similar capability, but it's disabled by default.

Set delay_warning_time = 4h in main.cf and you will get an email if a message you sent has been queued for four hours. Or choose a different warning time. But don't make it too short; it's normal for messages to get queued for a short time (e.g. up to an hour or two).

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I would vote that post but my reputation is too low. Thanks for that info, this is one of the solutions which we will consider if there is no hard bounce option. So the sender will get this message? Is there a file to edit the content of the warn message? – Nico Oct 17 '18 at 12:17