Postfix + Gmail. Certificate verification failed

postfix gmail 11.10

I have setup my system to send emails via Gmail.

The system works in so far as I can send emails, however I'm getting an error regarding the secure certificate.

This is an example entry in the mail.log:

    Oct 29 12:17:27 durban postfix/smtp[20742]: setting up TLS connection
    to smtp.gmail.com[209.85.143.108]:587

    Oct 29 12:17:27 durban postfix/smtp[20742]: certificate verification
    failed for smtp.gmail.com[209.85.143.108]:587: untrusted issuer
    /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

    Oct 29 12:17:27 durban postfix/smtp[20742]: Untrusted TLS connection
    established to smtp.gmail.com[209.85.143.108]:587: TLSv1 with cipher
    RC4-SHA (128/128 bits)

    Oct 29 12:17:29 durban postfix/smtp[20742]: BA4852A1BFA:
    to=<[email protected]>, relay=smtp.gmail.com[209.85.143.108]:587,
    delay=2.9, delays=0.1/0.1/1.3/1.4, dsn=2.0.0, status=sent (250 2.0.0
    OK 1319887049 l20sm20686943wbo.6)

I googled this issue and have found others with the problem who were able to solve it by updating a file called cacert.pem in the /etc/postfix directory.

In my main.cf I have the following line (amongst others):

smtpd_tls_CAfile=/etc/postfix/cacert.pem

I have this file:

-rw-r--r-- 1 root root 2298 2011-10-29 12:16 cacert.pem

I populated this file with the commands:

# cat /usr/lib/ssl/certs/Equifax_Secure_CA.pem >> /etc/postfix/cacert.pem
# cat /usr/lib/ssl/certs/Thawte_Premium_Server_CA.pem >>
      /etc/postfix/cacert.pem

I believe the first line should suffice and the second line (certificate) is an old no longer used (by google) certificate.

I don't know what else I can change and don't have any idea on what else to search for or which logfiles to check.

Any hints appreciated.


I had the same issue and when I issued "postconf |grep smtp|grep CA" all the variables were empty: smtp_tls_CAfile = smtp_tls_CApath = smtpd_tls_CAfile = smtpd_tls_CApath =

Here's how I fixed it;

I assume your Ubuntu install created the CA path that contains all known CAs on the internet: /etc/ssl/certs, and Equifax is there.

All you're missing in your Postfix configuration is the CApath: smtp_tls_CApath = /etc/ssl/certs

Afterwards Postfix will be able to verify smtp.gmail.com's certificate as legit CA because it has it in the /etc/ssl/certs directory.


I think your problem is that you're setting smtpd_tls_CAfile instead of smtp_tls_CAfile.

You can use a self-signed certificate for your postfix TLS configuration.


I have the same configuration as you. But in addition to 

smtpd_tls_CAfile=/etc/postfix/cacert.pem

I also have in my postfix's main.cf:

smtp_tls_CAfile=/etc/postfix/cacert.pem

Try adding this extra line. You might need to add it as part of this block:

smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes

Related

What do I need to start programming? [closed]
How to switch and list windows (possibly of the same application) in Unity?
Bind keys to actions in KDE 4
Evince default dual view
Is updating via Update Manager equivalent to updating with apt-get?
How do I install only the KDE desktop (and not apps) on Unity?
Where does apt-get install libqt4?
Can't mount any partition due to "/usb: Adding read ACL for uid 1000 to /media/evil' failed: Operation not supported" error
Code::Blocks: g++ not found
Prevent VLC from starting a new instance every time a media file is opened
How to connect to internet using Reliance NetConnect data card?
Find Graphics Card/Driver Details