Symptoms
Outgoing mail delivery to Gmail (or other servers which has SSL enabled and configured with valid certificate) accounts fails with error in /usr/local/psa/var/log/maillog :
from=<local@example.com>, size=666, nrcpt=1 (queue active)
certificate verification failed for gmail-smtp-in.l.google.com: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
F01C9680292: to=<test@gmail.com>
Note: There may be another address of Gmail’s SMTP server, like aspmx.l.google.com . This solution is valid for any cases where messages contain untrusted issuer string.
Cause
Certificate Authority (CA) certificate is missing in /etc/postfix/main.cf .
The server does not trust valid CAs.
Resolution
- Connect to the server via SSH.
- Make sure that file
/etc/pki/tls/certs/ca-bundle.crtexists (it contains information about valid CAs).# /etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/ca-bundle.crt - Update OpenSSL package if possible in order to get fresh version of CA bundle.
- Add line
smtp_tls_CAfileto/etc/postfix/main.cffile as shown below:# grep smtp_tls_CAfile /etc/postfix/main.cf
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt - Restart postfix daemon to apply the changes:
# /etc/init.d/postfix restart
Stopping postfix: [ OK ]
Starting postfix: [ OK ]