Symptoms
Outgoing mail delivery to Gmail (or other servers which has SSL enabled and configured with valid certificate) accounts fails with error in
:
/usr/local/psa/var/log/maillog
from=<[email protected]>, size=666, nrcpt=1 (queue active)
certificate verification failed for gmail-smtp-in.l.google.com: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
F01C9680292: to=<[email protected]>
Note: There may be another address of Gmail’s SMTP server, like
. This solution is valid for any cases where messages contain
aspmx.l.google.com
string.
untrusted issuer
Cause
Certificate Authority (CA) certificate is missing in
.
/etc/postfix/main.cf
The server does not trust valid CAs.
Resolution
-
Connect to the server via SSH.
-
Make sure that file
exists (it contains information about valid CAs).
/etc/pki/tls/certs/ca-bundle.crt
# ls -l /etc/pki/tls/certs/ca-bundle.crt
lrwxrwxrwx. 1 root root 49 Apr 8 00:59 /etc/pki/tls/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -
Update OpenSSL package if possible in order to get fresh version of CA bundle:
-
For RHEL/CentOS:
# yum update openssl
-
For Debian/Ubuntu:
# apt-get install –only-upgrade openssl
- Add line
to
smtp_tls_CAfile
file as shown below:
/etc/postfix/main.cf
# grep smtp_tls_CAfile /etc/postfix/main.cf
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
- Restart postfix daemon to apply the changes:
# /etc/init.d/postfix restart
Stopping postfix: [ OK ]
Starting postfix: [ OK ]