I'm trying to use postfix as gmail relay
smtp parameters are
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls=yes
smtp_tls_CAfile = /etc/ssl/ca-certificates.crt
smtp_tls_key_file=/etc/letsencrypt/live/MYDOMAIN.com/privkey.pem
smtp_tls_cert_file=/etc/letsencrypt/live/MYDOMAIN.com/cert.pem
smtp_tls_security_level=encrypt</id_string></id_string>
The message appears as correctly sent but actually no mail is delivered and in the mail log the issue seems caused by an error with TSL
cannot load Certification Authority data, CAfile="/etc/ssl/ca-certificates.crt": disabling TLS support
warning: TLS library problem: error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/etc/ssl/ca-certificates.crt','r'):
warning: TLS library problem: error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
warning: TLS library problem: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:../crypto/x509/by_file.c:199:
connect to smtp.gmail.com:25: Network is unreachable
The file ca-certificates.crt
exists in the path /etc/ssl/
and was already present in Debian distro
Another weird thing is that if in main.cf
I try to change the line
smtp_tls_CAfile = /etc/ssl/ca-certificates.crt
using some other certificate, the error
cannot load Certification Authority data, CAfile="/etc/ssl/ca-certificates.crt": disabling TLS support
remains the same, rather than pointing to the name of the certificate configured, despite used postfix reload
and systemctl restart postfix.service
to make sure to update the configuration
How should I fix this error?
On my Debian machines (9, 10 and 11) the path to
ca-certificates.crt
is:This should be the default, I did not change it.
On my postfix installations I didn't even set the
smtp_tls_CAfile
parameter. If you installed both postfix and the ca-certificates package via the Debian package management it should default to the correct file.Try> chmod 644 ca-certificates.crt or verify the correct layout for a certificate bundle