Home / server / Questions / 1020719
Accepted
Altimus Prime
Asked: 2020-06-10 09:14:32 +0800 CST

PHPMailer stopped working. Postfix SSL alert number 45

  • 772

PHPMailer worked fine until June 1st 2020. The SSL certificate for the site sending the email is valid from June 1st 2019 to June 1st 2021 and is accepted fine in the browser, but postfix suddenly has a TLS problem. I have access to both the email server and the web server attempting to send the email and they are running on the same network. I get the following messages when the site attempts to send the email.

log/maillog on the email server:
Jun  9 12:26:39 12-34-56-78 postfix/submission/smtpd[3299]: connect from unknown[12.34.56.80]
Jun  9 12:26:39 12-34-56-78 postfix/submission/smtpd[3299]: SSL_accept error from unknown[12.34.56.80]: 0
Jun  9 12:26:39 12-34-56-78 postfix/submission/smtpd[3299]: warning: TLS library problem: 3299:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:s3_pkt.c:1493:SSL alert number 45:
Jun  9 12:26:39 12-34-56-78 postfix/submission/smtpd[3299]: lost connection after STARTTLS from unknown[12.34.56.80]
Jun  9 12:26:39 12-34-56-78 postfix/submission/smtpd[3299]: disconnect from unknown[12.34.56.80]

I checked that none of the configuration files have changed for either postfix or PHPMailer. They're still dated as last modified in 2019.

I don't want to disable 'verify peer' because it really ought to verify the peer. I just can't tell why it stopped working when the certificate hasn't changed, but I'm sure the dates are more than coincidental. How do I fix this and how do I prevent this in the first place?

** EDIT **

In my case the problem was that the CA bundle was expired, even though the certificate was valid. I think they have to be together in the same file for postfix config.

I completely misunderstood which side has issue with which. In this case the client had issue with the email server.

To fix:

  1. Check postfix/main.cf (or whatever your file is named)

  2. Look for the line specifying smtpd_tls_cert_file

  3. Replace that file with the current cert (including the CA bundle)

EDIT:

I had a cert issued by the folling people, whose root CA bundle expired https://www.ssls.com/knowledgebase/sectigo-root-certificate-expiring-may-30-2020/

postfix ssl

1 Answers

  1. Best Answer
    ...postfix ... TLS library problem: ... ssl3_read_bytes:sslv3 alert certificate expired ...

    This message means that Postfix received (ssl_read_bytes) a TLS alert from the client (i.e. PHPMailer) that it will not accept the certificate provided by Postfix since this certificate is expired. This suggests that you maybe changed the certificate for the web server but that you kept the expired certificate for Postfix.

    • 2