3

Learning postfix, I've set up SSL on my server and everything is working.

Google/Gmail was saying Untrusted TLS connection established until I downloaded an Equifax SSL CA bundle and added it to my CA bundle. Now it says trusted connection whenever sending an email to Google.

So now I'm trying to do the same for Yahoo and Outlook365 connections. The connections say Untrusted TLS connection established whenever I send them emails.

Am I going about this the right way? by downloading CA bundles and putting them in my CA bundle? I've tried ssl_CA_path and just putting them in there, but that didn't work, only smtp_tls_CAfile seems to work.

  • Centos 6.7
  • postfix 3.2.2
Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
Darius
  • 315
  • 5
  • 15
  • 2
    The CA bundles that come with your distribution should be sufficient. Did you configure your postfix to not use them? – Gerald Schneider Jul 07 '17 at 09:11
  • I don't remember enabling anything to use the CA bundles that come with the distribution. It was a minimal Centos installation if that makes a difference. What keywords should I be looking for to find out if I have it set? The SSL I installed was a Comodo Essential Certificate with its 3-4? certificate intermediate bundle – Darius Jul 07 '17 at 09:12
  • Oh I see, you must be referencing /etc/pki/tls/certs/ca-bundle.crt . Yep, that did it... It worked. Issue was I pointed to the CA-bundle Comodo gave me instead of the system's. Thank you. – Darius Jul 07 '17 at 09:15
  • Well, normally buying a certificate for this kind of usage is an utter waste of money. If you got hordes of users, yes, using a well known CA might come in handy. If it's just you, it's wasted money. Anyway, you can easily get a certificate from Let's Encrypt for free, use it for exactly this kind of purpose and automate the renewal process entirely with the right tool and a cron job. Having said that, using DANE would remove the need for a paid CA entirely, though this is unlikely to ever happen. But Postfix can use it. – Marc Stürmer Jul 07 '17 at 19:44
  • 1
    @MarcStürmer the question is about outgoing connections, not incoming. – Gerald Schneider Jul 08 '17 at 11:48
  • This does not change the fact that also for this kind of usage a certificate from Let's Encrypt works very well. – Marc Stürmer Jul 08 '17 at 20:26

2 Answers2

7

Every (major) Linux distribution comes with CA certificates from all major authorities that are usually trusted.

This is the default location for CentOS:

smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

This should be used by default, so you shouldn't need this line unless you want to trust your own CA only.

The CA files are provided by the package ca-certificates. If for some reason the CA bundles are not present you can install them using yum install ca-certificates.

Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
  • 2
    Google _may become_ a special case, _if_ they extend their intermediate-CA cert beyond 2018-08 (currently 2017-12) which I expect they will _and_ continue to serve the Geotrust-bridge-to-Equifax path _and_ Postfix is using an OpenSSL that doesn't 'switch' to the direct Geotrust root which might well remain true for 1.0.1 in CentOS 6; see my answer at https://security.stackexchange.com/questions/66487/what-happens-when-certificates-further-up-the-chain-expires-before-mine – dave_thompson_085 Jul 07 '17 at 11:16
  • Can they be yum-updated safely ? I mean that won't break the local server certificate, right ? – Overmind May 08 '20 at 11:12
  • The package only contains root certificates. The server certificate has nothing to do with it. – Gerald Schneider May 08 '20 at 11:19
0

I came to this question from from How to resolve server certificate not trusted in postfix on Debian? If Lets Encrypt is involved, the answer is slightly different.

First, make sure that you are clear between smtp_* and smtpd_* parameters. Becuase you are concerned about mail going out, you should worry about the smtp_* parameters. What's the difference between postfix/smtp and postfix/smtpd

This setup worked for me with a Let's Encrypt certificate. Many forums told me to reference the fullchain as the smtp_tls_CAfile, but they failed to mention that you also need the smtp_tls_CApath parameter set also. After getting it working with all four of these lines, I commented out the smtp_tls_CAfile and it worked with just the smtp_tls_CApath

smtp_tls_cert_file=/etc/letsencrypt/live/example.com/cert.pem
smtp_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
#smtp_tls_CAfile=/etc/letsencrypt/live/example.com/fullchain.pem #optional
smtp_tls_CApath = /etc/ssl/certs
wruckie
  • 546
  • 5
  • 18