PDA

View Full Version : valid SSL cert for Postfix/gmail



gregn
26-Aug-2015, 09:37
Dear All,

I have configured postfix with gmail account.
I'm using built in cert from /etc/ssl/certs/Thawte_Server_CA.pem as /etc/postfix/cacert.pem

when connecting to gmail I get response (from /var/log/mail.info)

status=deferred (Server certificate not verified)

how can I obtain valid ssl certificate for my SLES11Sp3?

Regards
GN

maikcat
26-Aug-2015, 13:48
can you post your postfix config?

Michael.

gregn
26-Aug-2015, 14:43
can you post your postfix config?

Michael.


#transport_maps = hash:/etc/postfix/transport
#sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
#masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = HANA
mydomain = NCC
delay_warning_time = 1h
message_strip_characters = \0
inet_interfaces = localhost
#masquerade_domains =
#mydestination = $myhostname, localhost.$mydomain
#defer_transports =
mynetworks_style = subnet
#disable_dns_lookups = no
relayhost = [74.125.24.108]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
#smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtp_tls_security_level = verify
#smtp_tls_CApath = /etc/ssl/certs
smtp_use_tls = yes
mailbox_command =
mailbox_transport =
strict_8bitmime = no
disable_mime_output_conversion = no
#smtpd_sender_restrictions = hash:/etc/postfix/access
#smtpd_client_restrictions =
#smtpd_helo_required = no
#smtpd_helo_restrictions =
strict_rfc821_envelopes = no
#smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_use_tls = yes
smtp_enforce_tls = yes
#alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 10240000

and when sending test email from /var/log/mail.info

Aug 26 13:46:18 hanab1h postfix/pickup[29203]: BF9C72D853: uid=0 from=<root>
Aug 26 13:46:18 hanab1h postfix/cleanup[30274]: BF9C72D853: message-id=<20150826134618.BF9C72D853@HANA>
Aug 26 13:46:18 hanab1h postfix/qmgr[25400]: BF9C72D853: from=<root@HANA.NCC>, size=419, nrcpt=1 (queue active)
Aug 26 13:46:18 hanab1h postfix/error[30276]: BF9C72D853: to=<xxx@xxx>, relay=none, delay=0.02, delays=0.01/0/0/0, dsn=4.7.5, status=deferred (delivery temporarily suspended: Server certificate not verified)

maikcat
27-Aug-2015, 06:50
uncomment the smtp_tls_CApath = /etc/ssl/certs directive and make sure gmails CA is there...
and restart postfix.

Michael.

Aditya425
27-Aug-2015, 07:22
can you post your postfix config?

Aditya
CEO of http://www.techgaged.com

gregn
27-Aug-2015, 07:36
and make sure gmails CA is there...
Michael.
I have copied

cp /etc/posfix/cacert.pem /etc/ssl/certs/ and restarted postfix - still no luck.

my cacert.pem was created like this:

cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem
maybe thats why it is obsolete/unrecognizable by gmail server?

Regards
GN

maikcat
27-Aug-2015, 09:30
you can use openssl s_client -connect to "exctract" the cert from gmail directly.

Michael.