Postfix: Server certificate not verified (Gmail, GMX, Yahoo)


Sending mails from my mail server to works after I added

smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs

into my postfix/ But I still can’t send mails to GMX, Gmail, Yahoo (and probably more) for example. Is this a problem with /etc/ssl/certs has this to do with my LE-certs? On everything seems fine with my LE-certs.


postfix/smtpd[17627]: connect from ip4d164b60.dynamic.MYPROVIDER******
postfix/smtpd[17627]: 88CE9520C88: client=ip4d164b60.dynamic.MYPROVIDER******, sasl_method=PLAIN,
postfix/cleanup[17634]: 88CE9520C88: message-id=<>
postfix/qmgr[15061]: 88CE9520C88: from=<>, size=599, nrcpt=1 (queue active)
postfix/smtpd[17627]: disconnect from ip4d164b60.dynamic.MYPROVIDER******
postfix/smtp[17636]: 88CE9520C88: to=<>,[]:25, delay=0.31, delays=0.1/0.01/0.21/0, dsn=4.7.5, status=deferred (Server certificate not verified)


You have any response from their MTA in a logfile?


Sorry, forgot to post the log. Edited it.


Can you check one parameter in your config please?


I am not sure, if all of them support ssl.

smtpd_tls_auth_only = yes
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs


This security level is not an appropriate default for systems delivering mail to the Internet.

If you want to send mails to the internet, you should not have smtp_tls_security_level set to secure. You should use dane or may.


Yes, try to set smtp_tls_security_level=may, then you can send e-mails to them, if they dont allow or support ssl.


Thanks. Now it’s working. I remembered when I changed it to “secure” as I wanted to send and receive my mails as secure as possible. I tested it weeks ago by sending a mail to (they only accept secure mails) and all mails came back with the statement “Must issue a STARTTLS command first”. So I found some settings to fix this and it recommend smtp_tls_security_level = secure beside some other settings (I posted above).

Anyways: Now everything works fine and I can also send mails to and they don’t come back.



You might be interested in which tries to selectively set smtp_tls_security_level = secure for known popular sites.


Try this STARTTLS testing tool:


CheckTLS Confidence Factor: 100
Everything at 100%.