Postfix reports untrusted but only for letsencrypt certs

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
Not relavenat

I ran this command:
Its reported from the postfix log
It produced this output:
postfix/smtp[15697]: Untrusted TLS connection established to :25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)

My web server is (include version):
postfix-2.10.1-9.el7 (not really a web server)
The operating system my web server runs on is (include version):
Centos 7.9 updated
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.10.1

Per this advice

I have updated my postfix main.cf file

smtpd_tls_cert_file = /etc/letsencrypt/live/mailserver.domain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mailserver.domain.com/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mailserver.domain.com/fullchain.pem
smtp_tls_CAfile = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
smtp_tls_CApath = /etc/pki/ca-trust/extracted/openssl
smtpd_tls_CApath = /etc/pki/ca-trust/extracted/openss

substituting my actual domain for the "mailserver.domain.com" which btw, I had already set, mail is being encrypted fine and the TLS is "working" just says "untrusted" but only for domains using letsencrypt certs. My TLS connections to others like google and microsoft are trusted

postfix/smtp[22922]: Trusted TLS connection established to protection.outlook.com [104.47.58.138]:25 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Per this serverfault

went to https://letsencrypt.org/certificates/

downloaded the X1 and R3 certs added them to the anchor and ran the update-ca-trust. While that added them to the /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt file I still get Untrusted, so I'm at a total loss as to what to try next.
I did restart postfix after changing main.cf and running the update-ca-trust just to be sure.

Totally at a loss as to why it's still untrusted.

1 Like

I don't see anything obviously really wrong from your description of your config, but there's a lot less help out there on using TLS for email than for HTTP. You shouldn't be adding the X1 or R3 certs to your trust store directly, though, you should just need to add ISRG Root X1 (and perhaps also ISRG Root X2 if you want to future-proof a bit), which is probably already in the trust store you were using if it's relatively recent. And I don't think it makes sense to set both the CAfile and the CApath, though I don't think it'd hurt anything to do so.

Is it any Let's Encrypt server that you try sending email to? It wouldn't shock me if some of them weren't sending the right intermediate, or using some bizarre set of cipher suites, or something like that, where is issue is on their side and not yours. How many data points do you have that it's something on your side?

1 Like

Outbound connections don't rely on your cert.
Without your actual domain name it is near to impossible to troubleshoot this problem.

This should be all that you need.

Perhaps some of this is causing the problem:

2 Likes