Fix for Postfix untrusted certificate TLS error
Setup a brand new AWS instance based on the official Ubuntu 10.10 AMI. Configured mail and noticed that Postfix kept logging a TLS error about an untrusted certificate when sending mail. Argh. This is the same error I've been meaning to address on my Debian 5 boxes, but kept putting off because something else always seems to come up. That's it. No more. It's getting fixed today.
The part that drove me nuts the last time I briefly looked into this, is that the CA cert it was complaining about was there, in "/etc/ssl/certs", along with many others, symlinked to "/usr/share/ca-certificates", but there just the same. All provided by the package ever so aptly named "ca-certificates". After scouring the web for a bit and coming across solutions that just seemed wrong, it finally dawned on me -- Postfix on Debian (and Ubuntu) runs chrooted by default. So of course it can't access the certs in "/etc"!
My first instinct was to just disable the chroot, which is done easily enough in master.cf, and be done with it. But that felt like a surrender, so kept digging, then after a few more minutes, a perfect solution emerged.
The certs are actually already inside the chroot, all in one big file "/var/spool/postfix/etc/ssl/certs/ca-certificates.crt", all we have to do is tell Postfix to look there, which can be done by adding the following to "/etc/postfix/main.cf":
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
Restart Postfix and problem is solved. Yay.
1 2 3
Jan 26 18:24:07 xx postfix/smtp: setting up TLS connection to xx.s9a1.psmtp.COM[126.96.36.199]:25 Jan 26 18:24:08 xx postfix/smtp: certificate verification failed for xx.s9a1.psmtp.com[188.8.131.52]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority Jan 26 18:24:08 xx postfix/smtp: Untrusted TLS connection established to xx.s9a1.psmtp.COM[184.108.40.206]:25: TLSv1 with cipher AES256-SHA (256/256 bits)
Jan 26 18:25:34 xx postfix/smtp: setting up TLS connection to xx.s9a1.psmtp.COM[220.127.116.11]:25 Jan 26 18:25:34 xx postfix/smtp: Trusted TLS connection established to xx.s9a1.psmtp.COM[18.104.22.168]:25: TLSv1 with cipher AES256-SHA (256/256 bits)
I realize this all might seem elementary to some, but I can't help but feel pleased with myself. It's ok, it won't last.