• 8

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Postfix bounce when unable to validate TLS option

I'm using postfix as mail transfer agent on my mailgateway to send and receive emails.

Because I'm communicating with sensitive information I'm using the tls options to validate the receivers mx. He changed his certificate so my tls option in /etc/postfix/tls_policy

(domain.de fingerprint match=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX)

was wrong and the mail was 3 days in my mail queue before we noticed that the mail was stuck. Is there an option to bounce "TLS mails" hard, if those options cannot be validated?

I searched the postfix config documentation but did not find the wanted solution.

      • 1
    • A thought out of the box: do you really require fingerprint checking? Shouldn't it be enough to require TLS connections with valid certificates?
      • 2
    • @GeraldSchneider, yes i need it because if someone conquers the CA he is able to generate valid certificates. Now he can fake the DNS MX answer and the mails get delivered to the attacker. Checking for the right (approved) fingerprint is the highest security. But thanks.

I don't know if you can hard bounce mails in that circumstance, but you can certainly turn on delay notifications by setting delay_warning_time.

Back in prehistory, when everyone ran sendmail, it would notify the sender if a mail couldn't be delivered after four hours (by default). Postfix has a similar capability, but it's disabled by default.

Set delay_warning_time = 4h in main.cf and you will get an email if a message you sent has been queued for four hours. Or choose a different warning time. But don't make it too short; it's normal for messages to get queued for a short time (e.g. up to an hour or two).

  • 0
Reply Report
    • I would vote that post but my reputation is too low. Thanks for that info, this is one of the solutions which we will consider if there is no hard bounce option. So the sender will get this message? Is there a file to edit the content of the warn message?

Trending Tags