4

I'm trying to use postfix as gmail relay

smtp parameters are

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls=yes
smtp_tls_CAfile = /etc/ssl/ca-certificates.crt
smtp_tls_key_file=/etc/letsencrypt/live/MYDOMAIN.com/privkey.pem
smtp_tls_cert_file=/etc/letsencrypt/live/MYDOMAIN.com/cert.pem
smtp_tls_security_level=encrypt</id_string></id_string> 

The message appears as correctly sent but actually no mail is delivered and in the mail log the issue seems caused by an error with TSL

 cannot load Certification Authority data, CAfile="/etc/ssl/ca-certificates.crt": disabling TLS support
 warning: TLS library problem: error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/etc/ssl/ca-certificates.crt','r'):
 warning: TLS library problem: error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
 warning: TLS library problem: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:../crypto/x509/by_file.c:199:
 connect to smtp.gmail.com:25: Network is unreachable

The file ca-certificates.crt exists in the path /etc/ssl/ and was already present in Debian distro

Another weird thing is that if in main.cf I try to change the line

smtp_tls_CAfile = /etc/ssl/ca-certificates.crt

using some other certificate, the error

cannot load Certification Authority data, CAfile="/etc/ssl/ca-certificates.crt": disabling TLS support

remains the same, rather than pointing to the name of the certificate configured, despite used postfix reload and systemctl restart postfix.service to make sure to update the configuration

How should I fix this error?

AndreaF
  • 205
  • 1
  • 8
  • Just a small question to rule out the obvious mistake: Does `/etc/ssl/ca-certificates.crt` contain the Let's Encrypt intermediate chain certificate? On my server it is provided in the file `ca.pem` when I request a new ECDSA certificate. The reason I ask is because how else is Gmail going to verify that your certificate is a valid Let's Encrypt certificate if it does not know which intermediate certificate was used? – Lasse Michael Mølgaard Jul 22 '21 at 13:58

2 Answers2

5

On my Debian machines (9, 10 and 11) the path to ca-certificates.crt is:

/etc/ssl/certs/ca-certificates.crt

This should be the default, I did not change it.

On my postfix installations I didn't even set the smtp_tls_CAfile parameter. If you installed both postfix and the ca-certificates package via the Debian package management it should default to the correct file.

Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
0

Try> chmod 644 ca-certificates.crt or verify the correct layout for a certificate bundle