1

I've configured my postfix which is installed in debian 10 to send email, it was working previously but it all of a sudden just stopped working, I don't know why it stopped sending email, I checked the log file, and saw this in the postfix log file:

May  8 07:44:20 mail postfix/smtp[32042]: 48D557896B: Server certificate not trusted
May  8 07:44:21 mail postfix/smtp[32042]: certificate verification failed for alt2.gmail-smtp-in.l.google.com[**.***.***.**]:25: untrusted issuer /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
May  8 07:44:21 mail postfix/smtp[32042]: 48D557896B: to=<*****@gmail.com>, relay=alt2.gmail-smtp-in.l.google.com[**.***.***.**]:25, delay=1.4, delays=0/0/1.4/0, dsn=4.7.5, status=deferred (Server certificate not trusted)

Here is my etc/postfix/main.cf file

#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

append_dot_mydomain = no

readme_directory = no

compatibility_level = 2

smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtp_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.example.com
mydomain = example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#myorigin = /etc/mailname
mydestination = $myhostname, example.com, localhost.com, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_tls_security_level=encrypt
smtp_enforce_tls=yes

Please, why is my email not sending messages and how can I resolve this issue?

David
  • 11
  • 4
  • You don't specify what distribution you are using. The location of the CA certificates and the package name will differ if you are not using CentOS, but the principle is the same. – Gerald Schneider May 08 '20 at 09:31
  • i am using debian 10 – David May 08 '20 at 10:40
  • Check that your [ca-certificates](https://packages.debian.org/sid/all/ca-certificates/filelist) package is uptodate. The Global Sign Root CA should be in it. – Henrik Pingel May 08 '20 at 10:48
  • 1
    how can i check if the ca-certificates is uptodate and i am using letsencrypt – David May 08 '20 at 10:50
  • i checked, this file /etc/ssl/certs/ca-bundle.crt doesnt exist, how can i add it – David May 08 '20 at 10:51
  • As I already noted, the file is most probably different on Debian, on Ubuntu the path is `/etc/ssl/certs/ca-certificates.crt`. You can try to run `/usr/sbin/update-ca-certificates` to recreate it. The package is called [ca-certificates](https://packages.debian.org/buster/ca-certificates), but all this should be installed by default. – Gerald Schneider May 08 '20 at 11:02
  • should i remove the letsencrypt certificate – David May 08 '20 at 11:11
  • this did not work, May 8 11:13:14 mail postfix/smtp[2185]: certificate verification failed for alt2.gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25: untrusted issuer /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign May 8 11:13:14 mail postfix/smtp[2185]: 0E7317897A: to=<*****@gmail.com>, relay=alt2.gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25, delay=1.3, delays=0/0/1.3/0, dsn=4.7.5, status=deferred (Server certificate not trusted) – David May 08 '20 at 11:15
  • This should not have been closed, because of letsencrypt it has a different answer than the one referenced. First, make sure that you are clear between smtp_* and smtpd_* parameters. https://serverfault.com/questions/696936 Because you are concerned about mail going out, you should worry about the smtp_* parameters. This setup worked for me with LE cert. `smtp_tls_cert_file=/etc/letsencrypt/live/me/cert.pem smtp_tls_key_file=/etc/letsencrypt/live/me/privkey.pem smtp_tls_CAfile=/etc/letsencrypt/live/me/fullchain.pem #optional smtp_tls_CApath = /etc/ssl/certs` – wruckie May 28 '21 at 16:12

1 Answers1

0

It seems as if your server doesn't trust GlobalSign's root CA certificate.

You can try updating your ca-certificates by first installing the latest package ca-certificates by using the command sudo apt install ca-certificates

Then you can re-run update-ca-certificates --fresh to rebuild the ca-certificate links.

Stuggi
  • 3,366
  • 4
  • 17
  • 34