Root certificate not trusted by trust provider

Weird.. From that list of hostnames, only mail.acmusicalexcellence.com responds with the correct certificate (and mail.360paintingofwilliamsoncounty.com seems to point to a different IP address and is down).

Somehow I have the feeling that tls_server_sni_maps directive isn't working properly, although I can't explain why mail.acmusicalexcellence.com does work.. If I read the documentation at Postfix Configuration Parameters correctly, Postfix wants to have a single file in the format <PRIVKEY><LEAF CERT><INTERMEDIATE 1><OPTIONAL INTERMEDIATE 2>. Are there any warnings or errors in the Postfix log files regarding this directive?

3 Likes

Not seeing any errors that relate to what we're discussing... I'll keep looking.

Found a DNS problem on 360painting.... Fixed.

I've checked configuration files everywhere, and not finding where this is coming from.

Thanks for your help Osiris. I have identified the problem. It's the reverse DNS record. It points to acmusicalexcellence. When I tried using that domain to send email using the mail.acmusicalexcellence host name, it works perfectly. So, for anyone who gets an "UntrustedRoot" error, check your reverse DNS record and make sure that you use that as your server name. This is going to be a problem particularly with a server or VPS with multiple domains on it.

1 Like

Thanks for the feedback!

So if I understand you correctly, Postfix does not function properly regarding the SNI functionality when the reverse DNS is different than the hostname set on the server?

2 Likes

That's correct, although this is a very specific situation. I'm writing a .NET Blazor app utilizing Mailfix. When Mailfix attempts to get a secure SMTP connection to the server, it checks the reverse proxy. If the reverse proxy does not resolve to the smtp server name you gave it, it refuses the connection. In my case, I chose to set my reverse proxy for the domain I intended to use most often. Here's the article that verified that: ptr record - Reverse DNS Setup for an IP with multiple domains - Server Fault

1 Like