postfix/smtp: certificate verification failed for gmail

We host our emails at gmail and on our new server keep getting the following message in /var/log/mail.err:

Apr 9 21:08:16 xxxxxx postfix/smtp[nnnnn]: certificate verification failed for gmail-smtp-in.l.google.com[173.194.70.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
I tried downloading and rehashing the certificates, but it didn’t make this error disappear until I figured out the solution to this problem was much simpler:

/etc/ssl/certs/ca-certificates.crt (or actually the file referenced by this link) contains all the CA certificates of root CAs and intermediate CA certificates. And all I needed to do was to tell postfix to load this file, by adding the following line to /etc/postfix/main.cf

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
And restarting postfix:

# service postfix restart
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.

And when sending a new email, no error message !

5 thoughts on “postfix/smtp: certificate verification failed for gmail

    1. Likely you are running postfix in chroot.
      From postfix TLS readme:

      The $smtpd_tls_CAfile contains the CA certificates of one or more trusted CAs. The file is opened (with root privileges) before Postfix enters the optional chroot jail and so need not be accessible from inside the chroot jail.

      Additional trusted CAs can be specified via the $smtpd_tls_CApath directory, in which case the certificates are read (with $mail_owner privileges) from the files in the directory when the information is needed. Thus, the $smtpd_tls_CApath directory needs to be accessible inside the optional chroot jail.

      1. Thanks for your reply. I guess you are right about the chroot. My postfix is running in a chroot. On Debian Wheezy, the script /etc/init.d/postfix has code to copy /etc/ssl/certs/ca-certificates.crt into the chroot environment, however just this file not the whole /etc/ssl/certs/ directory.

        Note though that we are talking about smtp here, not smtpd.

Leave a Reply

Your email address will not be published. Required fields are marked *