valid SSL cert for Postfix/gmail

SUSE Product Topics SLES Configure-Administer
1

Dear All,

I have configured postfix with gmail account.
I’m using built in cert from /etc/ssl/certs/Thawte_Server_CA.pem as /etc/postfix/cacert.pem

when connecting to gmail I get response (from /var/log/mail.info)

status=deferred (Server certificate not verified)

how can I obtain valid ssl certificate for my SLES11Sp3?

Regards
GN

2

can you post your postfix config?

Michael.

3

[QUOTE=maikcat;29301]can you post your postfix config?

Michael.[/QUOTE]

#transport_maps = hash:/etc/postfix/transport #sender_canonical_maps = hash:/etc/postfix/sender_canonical masquerade_exceptions = root #masquerade_classes = envelope_sender, header_sender, header_recipient myhostname = HANA mydomain = NCC delay_warning_time = 1h message_strip_characters = \\0 inet_interfaces = localhost #masquerade_domains = #mydestination = $myhostname, localhost.$mydomain #defer_transports = mynetworks_style = subnet #disable_dns_lookups = no relayhost = [74.125.24.108]:587 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_CAfile = /etc/postfix/cacert.pem #smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt #smtp_tls_security_level = verify #smtp_tls_CApath = /etc/ssl/certs smtp_use_tls = yes mailbox_command = mailbox_transport = strict_8bitmime = no disable_mime_output_conversion = no #smtpd_sender_restrictions = hash:/etc/postfix/access #smtpd_client_restrictions = #smtpd_helo_required = no #smtpd_helo_restrictions = strict_rfc821_envelopes = no #smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtpd_use_tls = yes smtp_enforce_tls = yes #alias_maps = hash:/etc/aliases mailbox_size_limit = 0 message_size_limit = 10240000
and when sending test email from /var/log/mail.info

Aug 26 13:46:18 hanab1h postfix/pickup[29203]: BF9C72D853: uid=0 from=<root> Aug 26 13:46:18 hanab1h postfix/cleanup[30274]: BF9C72D853: message-id=<20150826134618.BF9C72D853@HANA> Aug 26 13:46:18 hanab1h postfix/qmgr[25400]: BF9C72D853: from=<root@HANA.NCC>, size=419, nrcpt=1 (queue active) Aug 26 13:46:18 hanab1h postfix/error[30276]: BF9C72D853: to=<xxx@xxx>, relay=none, delay=0.02, delays=0.01/0/0/0, dsn=4.7.5, status=deferred (delivery temporarily suspended: Server certificate not verified)

4

uncomment the smtp_tls_CApath = /etc/ssl/certs directive and make sure gmails CA is there…
and restart postfix.

Michael.

5

can you post your postfix config?

Aditya
CEO of http://www.techgaged.com

6

[QUOTE=maikcat;29315]and make sure gmails CA is there…
Michael.[/QUOTE]
I have copied

cp /etc/posfix/cacert.pem /etc/ssl/certs/ and restarted postfix - still no luck.

my cacert.pem was created like this:

cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem

maybe thats why it is obsolete/unrecognizable by gmail server?

Regards
GN

7

you can use openssl s_client -connect to “exctract” the cert from gmail directly.

Michael.