Fix for Postfix untrusted certificate TLS error

Setup a brand new AWS instance based on the official Ubuntu 10.10 AMI. Configured mail and noticed that Postfix kept logging a TLS error about an untrusted certificate when sending mail. Argh. This is the same error I've been meaning to address on my Debian 5 boxes, but kept putting off because something else always seems to come up. That's it. No more. It's getting fixed today.

The part that drove me nuts the last time I briefly looked into this, is that the CA cert it was complaining about was there, in /etc/ssl/certs, along with many others, symlinked to /usr/share/ca-certificates, but there just the same. All provided by the package ever so aptly named ca-certificates. After scouring the web for a bit and coming across solutions that just seemed wrong, it finally dawned on me -- Postfix on Debian (and Ubuntu) runs chrooted by default. So of course it can't access the certs in /etc!

My first instinct was to just disable the chroot, which is done easily enough in master.cf, and be done with it. But that felt like a surrender, so kept digging, then after a few more minutes, a perfect solution emerged.

The certs are actually already inside the chroot, all in one big file /var/spool/postfix/etc/ssl/certs/ca-certificates.crt, all we have to do is tell Postfix to look there, which can be done by adding the following to "/etc/postfix/main.cf":

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Restart Postfix and problem is solved. Yay.

Before:

Jan 26 18:24:07 xx postfix/smtp[14180]: setting up TLS connection to xx.s9a1.psmtp.COM[74.125.148.10]:25
Jan 26 18:24:08 xx postfix/smtp[14180]: certificate verification failed for xx.s9a1.psmtp.com[74.125.148.10]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Jan 26 18:24:08 xx postfix/smtp[14180]: Untrusted TLS connection established to xx.s9a1.psmtp.COM[74.125.148.10]:25: TLSv1 with cipher AES256-SHA (256/256 bits)

After:

Jan 26 18:25:34 xx postfix/smtp[821]: setting up TLS connection to xx.s9a1.psmtp.COM[74.125.148.10]:25
Jan 26 18:25:34 xx postfix/smtp[821]: Trusted TLS connection established to xx.s9a1.psmtp.COM[74.125.148.10]:25: TLSv1 with cipher AES256-SHA (256/256 bits)

I realize this all might seem elementary to some, but I can't help but feel pleased with myself. It's ok, it won't last.

20 Comments

  • 1. OJ replies at 19th April 2011, 7:42 am :

    Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh!

    Man, you have no idea how much grief you cured with this post. I thought this bloody warning would drive me to drink! 😉

    Thanks for the help! 🙂

    OJ

  • 2. d0rk replies at 14th June 2011, 8:43 am :

    You saved my day!

    This was the solution for postfix with TLS at GMX.NET on UBUNTU 10.04 LTS 8lucid) too!

    Thanks!!!

  • 3. Davide replies at 11th August 2011, 5:43 pm :

    THANK YOU pal
    you rock!

  • 4. jon replies at 11th October 2011, 12:58 pm :

    Sahweet!

  • 5. Steve Zhan replies at 23rd November 2011, 4:57 am :

    I also have this problem. It’s been bugging me for days.
    Thanks for sharing. It really helps.

  • 6. Dennis replies at 13th December 2011, 7:22 am :

    Thank you! So many other places in the web are simply telling ignore it or change your log level …

  • 7. Miriam Berens replies at 24th February 2012, 12:30 am :

    “Appreciate you sharing, great article.Many thanks again. Amazing.”

  • 8. Keenan replies at 13th March 2012, 10:22 pm :

    Thanks. I noticed the chroot and that the files where there, but didn’t pick up that while the directory was ‘real’, all the contents were symlinks! Nor that the files were conveniently aggregated in the .crt file. Saved me some headscratching, thanks.

  • 9. Transfer mail encrypted b&hellip replies at 13th March 2012, 10:55 pm :

    […] need to point postfix to it. The normal path is not accessable from inside the chroot. Thanks to Alain Kelder to point this out. With all that done, our server is good and enabled to send out his outgoing mail […]

  • 10. pero replies at 5th April 2012, 7:19 am :

    THX!

  • 11. Roman replies at 29th November 2012, 3:28 am :

    Thanks!!

  • 12. Erik replies at 2nd March 2013, 4:54 pm :

    Saved my day as well, many many thanks!

  • 13. Eryx replies at 26th March 2013, 2:32 am :

    Thanks a lot, it saved me a lot of time.

  • 14. Carlos Alberto replies at 21st April 2013, 6:34 am :

    Man, I was looking for this for a long time! Thank you very much!

  • 15. Dan Langille replies at 18th October 2013, 6:05 am :

    I was missing the smtp_tls_CAfile from my local mail server and I was having the same problem. Thank you.

  • 16. Stefan replies at 7th February 2014, 12:37 pm :

    Great!
    Thanks for the hints on the chrooted etc dir and the all-in-one crt file!

  • 17. Paolo replies at 26th May 2014, 11:40 am :

    Yes! you can!

  • 18. Tim H replies at 12th September 2014, 5:18 pm :

    Thank you! My sanity was restored. I only just got TLS working with postfix and this error was annoying me. Appreciate you took the time to share!

    Tim

  • 19. thefrog replies at 30th September 2014, 9:51 pm :

    Thanks! This post helped me.

  • 20. rg42 replies at 16th December 2015, 9:56 am :

    I had the same problem and this helped to solve it for me. I do own a RapidSSL DV cert and have to use their intermediate cert (RapidSSL SHA256 CA - G3) and thus I had this in my main.cf:

    smtpd_tls_CAfile = /etc/ssl/certs/rapidssl.crt
    

    But I still encountered the Untrusted TLS connection, to fix it I added this to my configuration:

    smtpd_tls_CApath = /etc/ssl/certs
    

    CApath will load all certs from /etc/ssl and the docs say:

    You may want to put your "preferred" CA or CAs in $smtpd_tls_CAfile, and install the remaining trusted CAs in $smtpd_tls_CApath.
    

Leave a comment

NOTE: Enclose quotes in <blockquote></blockquote>. Enclose code in <pre lang="LANG"></pre> (where LANG is one of these).