Fix for Postfix untrusted certificate TLS error
Setup a brand new AWS instance based on the official Ubuntu 10.10 AMI. Configured mail and noticed that Postfix kept logging a TLS error about an untrusted certificate when sending mail. Argh. This is the same error I've been meaning to address on my Debian 5 boxes, but kept putting off because something else always seems to come up. That's it. No more. It's getting fixed today.
The part that drove me nuts the last time I briefly looked into this, is that the CA cert it was complaining about was there, in
/etc/ssl/certs, along with many others, symlinked to
/usr/share/ca-certificates, but there just the same. All provided by the package ever so aptly named
ca-certificates. After scouring the web for a bit and coming across solutions that just seemed wrong, it finally dawned on me -- Postfix on Debian (and Ubuntu) runs chrooted by default. So of course it can't access the certs in
My first instinct was to just disable the chroot, which is done easily enough in
master.cf, and be done with it. But that felt like a surrender, so kept digging, then after a few more minutes, a perfect solution emerged.
The certs are actually already inside the chroot, all in one big file
/var/spool/postfix/etc/ssl/certs/ca-certificates.crt, all we have to do is tell Postfix to look there, which can be done by adding the following to "/etc/postfix/main.cf":
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
Restart Postfix and problem is solved. Yay.
1 2 3
Jan 26 18:24:07 xx postfix/smtp: setting up TLS connection to xx.s9a1.psmtp.COM[22.214.171.124]:25 Jan 26 18:24:08 xx postfix/smtp: certificate verification failed for xx.s9a1.psmtp.com[126.96.36.199]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority Jan 26 18:24:08 xx postfix/smtp: Untrusted TLS connection established to xx.s9a1.psmtp.COM[188.8.131.52]:25: TLSv1 with cipher AES256-SHA (256/256 bits)
Jan 26 18:25:34 xx postfix/smtp: setting up TLS connection to xx.s9a1.psmtp.COM[184.108.40.206]:25 Jan 26 18:25:34 xx postfix/smtp: Trusted TLS connection established to xx.s9a1.psmtp.COM[220.127.116.11]:25: TLSv1 with cipher AES256-SHA (256/256 bits)
I realize this all might seem elementary to some, but I can't help but feel pleased with myself. It's ok, it won't last.