Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
Its reported from the postfix log
It produced this output:
postfix/smtp: Untrusted TLS connection established to :25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
My web server is (include version):
postfix-2.10.1-9.el7 (not really a web server)
The operating system my web server runs on is (include version):
Centos 7.9 updated
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
Per this advice
I have updated my postfix main.cf file
smtpd_tls_cert_file = /etc/letsencrypt/live/mailserver.domain.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mailserver.domain.com/privkey.pem smtpd_tls_CAfile = /etc/letsencrypt/live/mailserver.domain.com/fullchain.pem smtp_tls_CAfile = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt smtp_tls_CApath = /etc/pki/ca-trust/extracted/openssl smtpd_tls_CApath = /etc/pki/ca-trust/extracted/openss
substituting my actual domain for the "mailserver.domain.com" which btw, I had already set, mail is being encrypted fine and the TLS is "working" just says "untrusted" but only for domains using letsencrypt certs. My TLS connections to others like google and microsoft are trusted
postfix/smtp: Trusted TLS connection established to protection.outlook.com [22.214.171.124]:25 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Per this serverfault
downloaded the X1 and R3 certs added them to the anchor and ran the update-ca-trust. While that added them to the /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt file I still get Untrusted, so I'm at a total loss as to what to try next.
I did restart postfix after changing main.cf and running the update-ca-trust just to be sure.
Totally at a loss as to why it's still untrusted.