Home / server / Questions / 1036749
Accepted
Gill-Bates
Asked: 2020-10-08 02:11:16 +0800 CST

Postfix: Untrusted TLS connection established - How to solve this error?

  • 772

I use Postfix in combination with Lets Encrypt to transmit TLS encrypted e-mails.

The following parameters in /etc/postfix/main.cf are relevant:

smtp_tls_key_file = /etc/letsencrypt/live/foo.bar/privkey.pem
smtp_tls_cert_file = /etc/letsencrypt/live/foo.bar/fullchain.pem
smtp_tls_CAfile = /etc/letsencrypt/live/foo.bar/fullchain.pem

I can send e-mails without problems, but I get the warning message that Postfix cannot verify the certificate of the receiving site:

postfix/smtp[10736]: Untrusted TLS connection established to example.com[xxx.xxx.xxx.xxx]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)

I suspect this is because Postfix is not able to access its certificate store with this parameter:

smtp_tls_CAfile = /etc/letsencrypt/live/foo.bar/fullchain.pem

A change to smtp_tls_CAfile = /etc/ssl/certs will break my entire TLS-Configuration.

What do I have to configure so that Postfix is able to send encrypted messages via Lets Encrypt and to check the certificate on the recipient side?

debian postfix

1 Answers

  1. Best Answer

    Solved. The issue was missing CA-Certificates. So Postfix was not able to verify the Issuer of the Client.

    Solved by installing

    sudo apt install ca-certificates

    Then pointing Postfix to the CA-Certificates:

    sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
sudo postfix reload

    Result:

    tail -f /var/log/mail.log
postfix/smtp[11023]: Trusted TLS connection established to ...
    • 7