Postfix: Server certificate not verified (Gmail, GMX, Yahoo)


#1

Sending mails from my mail server to Web.de works after I added

smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs

into my postfix/main.cf. But I still can’t send mails to GMX, Gmail, Yahoo (and probably more) for example. Is this a problem with /etc/ssl/certs has this s.th. to do with my LE-certs? On ssllabs.com everything seems fine with my LE-certs.

Log

postfix/smtpd[17627]: connect from ip4d164b60.dynamic.MYPROVIDER******
postfix/smtpd[17627]: 88CE9520C88: client=ip4d164b60.dynamic.MYPROVIDER******, sasl_method=PLAIN, sasl_username=contact@mydomain.com
postfix/cleanup[17634]: 88CE9520C88: message-id=<56FBDE6F.5020004@mydomain.com>
postfix/qmgr[15061]: 88CE9520C88: from=<contact@mydomain.com>, size=599, nrcpt=1 (queue active)
postfix/smtpd[17627]: disconnect from ip4d164b60.dynamic.MYPROVIDER******
postfix/smtp[17636]: 88CE9520C88: to=<testmailtoyah00@yahoo.de>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=0.31, delays=0.1/0.01/0.21/0, dsn=4.7.5, status=deferred (Server certificate not verified)

#2

You have any response from their MTA in a logfile?


#3

Sorry, forgot to post the log. Edited it.


#4

Can you check one parameter in your config please?

smtp_tls_security_level=

I am not sure, if all of them support ssl.


#5
smtpd_tls_cert_file=/etc/letsencrypt/live/mydomain.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mydomain.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs

#6

http://www.postfix.org/postconf.5.html#smtp_tls_security_level

This security level is not an appropriate default for systems delivering mail to the Internet.

If you want to send mails to the internet, you should not have smtp_tls_security_level set to secure. You should use dane or may.


#7

Yes, try to set smtp_tls_security_level=may, then you can send e-mails to them, if they dont allow or support ssl.


#8

Thanks. Now it’s working. I remembered when I changed it to “secure” as I wanted to send and receive my mails as secure as possible. I tested it weeks ago by sending a mail to test@sempertv.de (they only accept secure mails) and all mails came back with the statement “Must issue a STARTTLS command first”. So I found some settings to fix this and it recommend smtp_tls_security_level = secure beside some other settings (I posted above).

Anyways: Now everything works fine and I can also send mails to test@sempertv.de and they don’t come back.

Thanks.


#9

You might be interested in https://www.cs-ware.de/blog/archives/175 which tries to selectively set smtp_tls_security_level = secure for known popular sites.


#10

Try this STARTTLS testing tool: http://checktls.com/


#11

CheckTLS Confidence Factor: 100
Everything at 100%.
Thanks!