0

System specs

  • CentOS 5.5
  • Postfix 2.3.3

Scenario

I've been following Configure Postfix to send/relay emails Gmail (smtp.gmail.com) via port 587 to try and get the connection between Postfix and Gmail to work properly. The instructions are clear. After doing what the chosen answer says, I get this error in my maillog:

Dec 12 08:45:00 stiltify postfix/smtp[21745]: certificate verification failed for smtp.gmail.com: num=20:unable to get local issuer certificate
Dec 12 08:45:00 stiltify postfix/smtp[21745]: certificate verification failed for smtp.gmail.com: num=27:certificate not trusted
Dec 12 08:45:00 stiltify postfix/smtp[21745]: warning: SASL authentication failure: No worthy mechs found
Dec 12 08:45:00 stiltify postfix/smtp[21745]: 6BC962B58006: to=<some.address@yahoo.com>, relay=smtp.gmail.com[74.125.93.109]:587, delay=0.27, delays=0.05/0.01/0.21/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.gmail.com[74.125.93.109]: no mechanism available)

Similar problems out there

Searching for a similar scenario, I found Postfix “SASL authentication failure: No worthy mechs found”, but looking at the details of the chosen answer, it was slightly different and I think it means that the sending server doesn't trust Gmail's certificate:

untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

But alas...

So here I am, stuck at a mailing problem once again, and need your help.

Thanks in advance!

Community
  • 1
Ramon Tayag
  • 469
  • 2
  • 7
  • 17

3 Answers3

4

It sounds like potentially 2 different issues potentially at hand. Now I'm the one that provided the answer for the question regarding forwarding through Gmail and mine was done on an Ubuntu laptop configuration not CentOS and I unfortunately don't have a CentOS machine handy to test this on.

It sounds to me like the following may be causing the problems.

  1. Check to ensure that the SASL binaries and libraries are installed. On my Ubuntu/Debian machines this would be including the libsasl2-2 and libsasl2-modules packages. The later actually provides the SO SASL modules while the former provides the SASL DB libraries.

  2. Check to see if you have a trusted CA root chain certificate installed. On my Ubuntu/Debian machines I install the ca-certificate package which installs the known root level CA certificates and allows me to establish a CA cert chain that validates certificates signed by known CA's.

Updating to add after checking my Ubuntu laptop... The certificate issue is actually a non-critical issue so item #2 is likely not at fault as I get the same entries myself but mail is sent successfully which would lean more to item #1 being cause for failures to send.

Dec 12 07:51:56 solitare postfix/smtp[17525]: setting up TLS connection to smtp.gmail.com[74.125.67.109]:587
Dec 12 07:51:56 solitare postfix/smtp[17525]: certificate verification failed for smtp.gmail.com[74.125.67.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Dec 12 07:51:56 solitare postfix/smtp[17525]: Untrusted TLS connection established to smtp.gmail.com[74.125.67.109]:587: TLSv1 with cipher RC4-MD5 (128/128 bits)
Dec 12 07:51:58 solitare postfix/smtp[17525]: 41C7212823B: to=<root@****>, orig_to=<root>, relay=smtp.gmail.com[74.125.67.109]:587, delay=2.4, delays=0.22/0.01/0.62/1.5, dsn=2.0.0, status=sent (250 2.0.0 OK 1292158318 b27sm3067589ana.28)

Fired up a CentOS 5.4 instance on Amazon EC2 and had a look around... In conjunction with item #1 on CentOS I would look to see if you have the following packages installed at a minimum: cyrus-sasl-lib, cyrus-sasl-plain and cyrus-sasl... There are other cyrus-sasl-* packages providing separate SASL modules if you should need them but the -lib and -plain should be the bare basics needed.

Jeremy Bouse
  • 11,241
  • 2
  • 27
  • 40
  • I installed the cyrus packages and I only didn't have cyrus-sasl-plain installed. Before doing #2, I tried sending an email again and it worked! – Ramon Tayag Dec 12 '10 at 17:06
  • I'm running Debian lenny and have been searching for solution, installing libsasl2-module did the trick for me. Thanks Jeremy. –  Mar 22 '11 at 02:58
2

My CentOS installation had the same problem and I solved it by installing cyrus-sasl-plain.

Bart De Vos
  • 17,761
  • 6
  • 62
  • 81
Itamar
  • 21
  • 1
0

I don't think there's anything wrong with gmail's certificate, because as you say above, it's issued by equifax1.

I'm not a postfix person, but the usual reason for this is that the tool doing the verifying - in this case, postfix - doesn't have a "certificate bundle" - the collection of axiomatically-trusted cetificates that the tool uses to verify the certificate chain presented to it. Sendmail (which I do use) has the following m4 config line to point it to the bundle:

define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl

Look for something similar for postfix.

1 OK, ok, it claims to be issued by equifax; but it really is, according to my certificate bundle:

[madhatta@risby ~]$ openssl s_client -starttls smtp -connect smtp.gmail.com:587
CONNECTED(00000003)
depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com
verify return:1
[...]
MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Yes, it looks as though Google has been issued an Intermediary CA Certificate by Equifax. They'd certainly have enough money to afford such and given the amount of certificates they'd require is probably more cost effective. As I mentioned below though this isn't causing the problems with authentication and sending. – Jeremy Bouse Dec 12 '10 at 16:40