Postfix + Gmail. Certificate verification failed
Solution 1
I had the same issue and when I issued "postconf |grep smtp|grep CA" all the variables were empty: smtp_tls_CAfile = smtp_tls_CApath = smtpd_tls_CAfile = smtpd_tls_CApath =
Here's how I fixed it;
I assume your Ubuntu install created the CA path that contains all known CAs on the internet: /etc/ssl/certs, and Equifax is there.
All you're missing in your Postfix configuration is the CApath: smtp_tls_CApath = /etc/ssl/certs
Afterwards Postfix will be able to verify smtp.gmail.com's certificate as legit CA because it has it in the /etc/ssl/certs directory.
Solution 2
I think your problem is that you're setting smtpd_tls_CAfile instead of smtp_tls_CAfile.
You can use a self-signed certificate for your postfix TLS configuration.
Solution 3
I have the same configuration as you. But in addition to
smtpd_tls_CAfile=/etc/postfix/cacert.pem
I also have in my postfix's main.cf:
smtp_tls_CAfile=/etc/postfix/cacert.pem
Try adding this extra line. You might need to add it as part of this block:
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
Related videos on Youtube
10 : 54
06 : 19
02 : 13
02 : 54
03 : 10
Admin
Updated on September 18, 2022Comments
-
Admin almost 2 years
I have setup my system to send emails via Gmail.
The system works in so far as I can send emails, however I'm getting an error regarding the secure certificate.
This is an example entry in the mail.log:
Oct 29 12:17:27 durban postfix/smtp[20742]: setting up TLS connection to smtp.gmail.com[209.85.143.108]:587 Oct 29 12:17:27 durban postfix/smtp[20742]: certificate verification failed for smtp.gmail.com[209.85.143.108]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority Oct 29 12:17:27 durban postfix/smtp[20742]: Untrusted TLS connection established to smtp.gmail.com[209.85.143.108]:587: TLSv1 with cipher RC4-SHA (128/128 bits) Oct 29 12:17:29 durban postfix/smtp[20742]: BA4852A1BFA: to=<[email protected]>, relay=smtp.gmail.com[209.85.143.108]:587, delay=2.9, delays=0.1/0.1/1.3/1.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1319887049 l20sm20686943wbo.6)I googled this issue and have found others with the problem who were able to solve it by updating a file called cacert.pem in the /etc/postfix directory.
In my main.cf I have the following line (amongst others):
smtpd_tls_CAfile=/etc/postfix/cacert.pemI have this file:
-rw-r--r-- 1 root root 2298 2011-10-29 12:16 cacert.pemI populated this file with the commands:
# cat /usr/lib/ssl/certs/Equifax_Secure_CA.pem >> /etc/postfix/cacert.pem # cat /usr/lib/ssl/certs/Thawte_Premium_Server_CA.pem >> /etc/postfix/cacert.pemI believe the first line should suffice and the second line (certificate) is an old no longer used (by google) certificate.
I don't know what else I can change and don't have any idea on what else to search for or which logfiles to check.
Any hints appreciated.
-
Phil almost 11 yearsQuick and easy way to add this when you are in a hurrysudo postconf -e 'smtp_tls_CApath = /etc/ssl/certs'thensudo service postfix restart -
davmac over 9 yearsThe
CApathsetting is not useful if the smtp daemon runs in a chroot jail, which it usually does.
