Postfix bounce when unable to validate TLS option

Nico asked:

I’m using postfix as mail transfer agent on my mailgateway to send and receive emails.

Because I’m communicating with sensitive information I’m using the tls options to validate the receivers mx. He changed his certificate so my tls option in /etc/postfix/tls_policy

(domain.de fingerprint match=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX)

was wrong and the mail was 3 days in my mail queue before we noticed that the mail was stuck. Is there an option to bounce “TLS mails” hard, if those options cannot be validated?

I searched the postfix config documentation but did not find the wanted solution.

My answer:


I don’t know if you can hard bounce mails in that circumstance, but you can certainly turn on delay notifications by setting delay_warning_time.

Back in prehistory, when everyone ran sendmail, it would notify the sender if a mail couldn’t be delivered after four hours (by default). Postfix has a similar capability, but it’s disabled by default.

Set delay_warning_time = 4h in main.cf and you will get an email if a message you sent has been queued for four hours. Or choose a different warning time. But don’t make it too short; it’s normal for messages to get queued for a short time (e.g. up to an hour or two).


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.