Mail delivery from Plesk to Gmail account fails: certificate verification failed for *.l.google.com: untrusted issuer

Symptoms

Outgoing mail delivery to Gmail (or other servers which has SSL enabled and configured with valid certificate) accounts fails with error in
/usr/local/psa/var/log/maillog
:

from=<[email protected]>, size=666, nrcpt=1 (queue active)
certificate verification failed for gmail-smtp-in.l.google.com: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
F01C9680292: to=<[email protected]>

Note: There may be another address of Gmail’s SMTP server, like
aspmx.l.google.com
. This solution is valid for any cases where messages contain
untrusted issuer
string.

Cause

Certificate Authority (CA) certificate is missing in
/etc/postfix/main.cf
.

The server does not trust valid CAs.

Resolution

1. Connect to the server via SSH.

2. Make sure that file
/etc/pki/tls/certs/ca-bundle.crt
exists (it contains information about valid CAs).

   # ls -l /etc/pki/tls/certs/ca-bundle.crt
   lrwxrwxrwx. 1 root root 49 Apr 8 00:59 /etc/pki/tls/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

3. Update OpenSSL package if possible in order to get fresh version of CA bundle:

• For RHEL/CentOS:

  # yum update openssl

• For Debian/Ubuntu:

  # apt-get install –only-upgrade openssl

4. Add line
smtp_tls_CAfile
to
/etc/postfix/main.cf
file as shown below:

   # grep smtp_tls_CAfile /etc/postfix/main.cf
   smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

5. Restart postfix daemon to apply the changes:

   # /etc/init.d/postfix restart
   Stopping postfix: [ OK ]
   Starting postfix: [ OK ]