Outgoing mail delivery to Gmail (or other servers which has SSL enabled and configured with valid certificate) accounts fails with error in
from=<[email protected]>, size=666, nrcpt=1 (queue active)
certificate verification failed for gmail-smtp-in.l.google.com: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
F01C9680292: to=<[email protected]>
Note: There may be another address of Gmail’s SMTP server, like
. This solution is valid for any cases where messages contain
Certificate Authority (CA) certificate is missing in
The server does not trust valid CAs.
Connect to the server via SSH.
Make sure that file
exists (it contains information about valid CAs).
# ls -l /etc/pki/tls/certs/ca-bundle.crt
lrwxrwxrwx. 1 root root 49 Apr 8 00:59 /etc/pki/tls/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Update OpenSSL package if possible in order to get fresh version of CA bundle:
# yum update openssl
# apt-get install –only-upgrade openssl
- Add line
file as shown below:
# grep smtp_tls_CAfile /etc/postfix/main.cf
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
- Restart postfix daemon to apply the changes:
# /etc/init.d/postfix restart
Stopping postfix: [ OK ]
Starting postfix: [ OK ]