Email FWDs: Certificate verification failed

Discussion in 'ISPConfig 3 Priority Support' started by olimortimer, May 1, 2014.

  1. olimortimer

    olimortimer Member

    Noticed the following in my logs;

    Code:
    May 1 19:19:23 vps1 postfix/smtp[15439]: certificate verification failed for gmail-smtp-in.l.google.com[173.194.67.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    This is something that's only started happening recently - is it tied in with an ISPConfig update?

    Am I right in saying that I just need to point postfix (in main.cf) to where certs are stored;

    Code:
    smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    This is my current main.cf;

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = vps1.olimortimer.com
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = vps1.olimortimer.com, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    #smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonic$
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = maildrop
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    content_filter = amavis:[127.0.0.1]:10024
    inet_protocols = all
    smtp_tls_security_level = may
    
    # RBL and RHBL Blacklists
    smtpd_helo_required = yes
    disable_vrfy_command = yes
    strict_rfc821_envelopes = yes
    invalid_hostname_reject_code = 554
    multi_recipient_bounce_reject_code = 554
    non_fqdn_reject_code = 554
    relay_domains_reject_code = 554
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    unknown_sender_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554
    unverified_recipient_reject_code = 554
    unverified_sender_reject_code = 554
    
    smtpd_recipient_restrictions =
                check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
                reject_invalid_hostname,
                reject_unknown_recipient_domain,
                reject_unauth_pipelining,
                permit_mynetworks,
                permit_sasl_authenticated,
                reject_unauth_destination,
                reject_rbl_client multi.uribl.com,
                reject_rbl_client dsn.rfc-ignorant.org,
                reject_rbl_client dul.dnsbl.sorbs.net,
                reject_rbl_client zen.spamhaus.org,
                reject_rbl_client bl.spamcop.net,
                reject_rbl_client psbl.surriel.com,
                reject_rbl_client dnsbl.sorbs.net,
                reject_rbl_client cbl.abuseat.org,
                reject_rbl_client ix.dnsbl.manitu.net,
                reject_rbl_client combined.rbl.msrbl.net,
                reject_rbl_client rabl.nuclearelephant.com,
                permit
    
     
    Last edited: May 2, 2014
  2. olimortimer

    olimortimer Member

    I added those lines to the main.cf, and although the 'certificate verification failed' went away, the mail wasn't delivered.

    This is happening under the following scenario;

    From: [email protected]
    To:[email protected] (Fwd on ISPConfig)
    Fwd To: [email protected]
     
  3. olimortimer

    olimortimer Member

  4. till

    till Super Moderator Staff Member ISPConfig Developer

    This guide from curvvee.com looks good and should solve the issue, as longa s you have set: smtp_tls_CAfile and smtpd_tls_CAfile to use the file /etc/postfix/ssl/cacert.pem and not the one from your first post.
     
  5. olimortimer

    olimortimer Member

    Thank till.

    Should /etc/postfix/ssl/cacert.pem exist already? I don't have that file on my server.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess that depends on the Linux distribution. If it does not exist, then create it.
     

Share This Page