[pfx] Postfix thinks smtp.gmail.com uses self-signed certificate

Wed, 20 Mar 2024 07:26:09 -0700 

Hi,
I'm using debian 10, an old debian distribution. The Postfix version is 3.4.23. 


I found below in the log, it says "certificate verification failed for 
smtp.gmail.com[64.233.189.109]:465: self-signed certificate"

--------8<--------8<--------8<--------

Mar 20 21:27:38 SERVER postfix/qmgr[12913]: DC7D0140531: 
from=<myn...@gmail.com>, size=122883, nrcpt=1 (queue active)
Mar 20 21:27:38 SERVER postfix/smtp[15534]: certificate verification 
failed for smtp.gmail.com[64.233.189.109]:465: self-signed certificate
Mar 20 21:27:38 SERVER postfix/smtp[15534]: Untrusted TLS connection 
established to smtp.gmail.com[64.233.189.109]:465: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 
server-signature RSA-PSS (2048 bits) server-digest SHA256
Mar 20 21:27:38 SERVER postfix/smtp[15534]: DC7D0140531: 
to=<some...@some.com>, relay=smtp.gmail.com[64.233.189.109]:465, 
delay=2789, delays=2789/0.08/0.06/0, dsn=4.7.5, status=deferred (Server 
certificate not trusted)

--------8<--------8<--------8<--------


The openssl and curl have no problem to verify the smtp.gmail.com:465. 
Below is openssl example:

--------8<--------8<--------8<--------

$ openssl s_client -4 -connect smtp.gmail.com:465 -CAfile 
/etc/ssl/certs/ca-certificates.crt

CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:CN = smtp.gmail.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEhzCCA2+gAwIBAgIQCrASK3egcWgQSjqRjoQ8iDANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yNDAyMTkwODE4MTVaFw0yNDA1MTMw
ODE4MTRaMBkxFzAVBgNVBAMTDnNtdHAuZ21haWwuY29tMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEzMkkeWMHpTkBU1wI2rgLq8jtzauypsQYFrc52brXD+yH50u3
0cVzi6ejSjhGni0d7fWxo+A4R91kOrCSsYDwYqOCAmcwggJjMA4GA1UdDwEB/wQE
AwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBRaOURu5t91CGymCb0ym2q68LcxVzAfBgNVHSMEGDAWgBSKdH+vhc3ulc09nNDi
RhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3Nw
LnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDovL3BraS5nb29nL3Jl
cG8vY2VydHMvZ3RzMWMzLmRlcjAZBgNVHREEEjAQgg5zbXRwLmdtYWlsLmNvbTAh
BgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUDMDwGA1UdHwQ1MDMwMaAv
oC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFjMy9mVkp4YlYtS3Rtay5jcmww
ggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDuzdBk1dsazsVct520zROiModGfLzs
3sNRSFlGcR+1mwAAAY3AqKz3AAAEAwBHMEUCIQDODj3d6tB3O52F9JGeHcoQHvHa
slsfd24LzJkh4vaT8QIgRYpJ5/KtmHRedvtIMpk5cphz7YQtNR9xCJqS/HZp+RkA
dgDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAY3AqK5zAAAEAwBH
MEUCIGnYz1wq87LoxyEFmfNJMUpu3tbe+SoXEICpiSMb0QT2AiEA6RfPUZfe+KL4
d+1tNrMI7JcbS/7i1iluGfg7i7qvAzQwDQYJKoZIhvcNAQELBQADggEBAAedT7Wd
Wf65c+210Rukhm/D3Gpku3QsYzo0fnAgGP4pTaH1w9DZN9YUSOoxlsfxBdldDdjy
OBTOyf/anQCZGyTb6RTJcCDq39xRiDBxp/S5p/hOhSMqezjQkj4r+dNg3yBMQ9vM
YVXjxQMNkEnBuaqF6gmymJITZ96cEiY7csPUemQp2qvBpwwkTlk09r36tg2llyN8
H2sGfiI+aMP+zTcCl96kBWh4W+dT+C90bjbZQvhzzuUT+sInPtUqcsCQ8ZNUeaY1
cwZlzV1fHFnDfHaMZN+3PO2eVHlbxR97v7FO6wLZYCPmcqlB2sj1uxucMT4tXaE7
pV0EwxaTDEzCaUs=
-----END CERTIFICATE-----
subject=CN = smtp.gmail.com

issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4295 bytes and written 386 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384

    Session-ID: 
BF3720957764F292088B747CAB9764DC744CF9D40FD60FBB743AFADE7B74D5F6

    Session-ID-ctx:

    Resumption PSK: 
52E8D459E26A5E1C0005DEAA70BFEAE44CDFA2E884A26709BD4FF34DF08639F74A4AE17B2C400C3EFBC0BD19164458B4

    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:

    0000 - 02 c4 7d 37 12 90 68 40-1e 21 95 25 51 12 e3 10 
..}7..h@.!.%Q...
    0010 - 40 19 02 72 c3 8c 08 cd-bf dd d0 43 95 8f d0 d3 
@..r.......C....
    0020 - 42 2f d3 20 a8 56 03 24-74 3e a6 90 bc ac 3c 34   B/. 
.V.$t>....<4
    0030 - f2 54 d5 69 7a 30 88 cb-6d c0 e9 a6 95 56 05 1e 
.T.iz0..m....V..
    0040 - 94 57 e7 46 b8 36 8a fc-19 1e c3 a2 13 9b 52 b8 
.W.F.6........R.
    0050 - 1c b1 2a b1 5e a0 24 f1-64 5f 43 f2 d8 eb 00 6e 
..*.^.$.d_C....n
    0060 - f1 93 e3 d3 05 ea 27 fb-e0 77 8d 85 0a 44 09 cb 
......'..w...D..
    0070 - c2 7a 3b c5 86 40 03 98-eb 60 53 79 1b db 37 90 
.z;..@...`Sy..7.
    0080 - df 9b 39 5c bf 00 65 ba-09 5e a0 78 f6 f3 0c 44 
..9\..e..^.x...D
    0090 - a6 fb c5 86 57 7f 66 11-db 42 6f ba df c5 04 cd 
....W.f..Bo.....
    00a0 - 88 f5 3b 85 49 f0 89 6e-14 39 72 e1 64 7f e5 26 
..;.I..n.9r.d..&
    00b0 - ec da 76 cd 8e c6 22 ea-49 8a 95 0e 50 82 d8 ec 
..v...".I...P...
    00c0 - ae 79 81 fb 43 e7 88 dd-dd 15 4d 66 c2 b0 6a 3a 
.y..C.....Mf..j:
    00d0 - 12 1f fb cd b9 dc 15 35-49 bd b4 f6 5c 2a 99 1a 
.......5I...\*..
    00e0 - 7f df 1b ae 54 50 45 4c-cd 6a 25 b7 c3 6e 58 
....TPEL.j%..nX


    Start Time: 1710942237
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384

    Session-ID: 
FEC69105252A9A97280C6535905211A35F1E8BD333DD40CD4D319136EA1C8F19

    Session-ID-ctx:

    Resumption PSK: 
26C383ECC0AD554238EC26AA77E44BCFCCBAF5348735842F45DD76C446E865E886C3EB1438944C6EDCA01ED015EEA8DF

    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:

    0000 - 02 c4 7d 37 12 90 68 40-1e 21 95 25 51 12 e3 10 
..}7..h@.!.%Q...
    0010 - 55 a6 26 b6 38 07 2d 71-0b fe b1 91 f4 61 48 35 
U.&.8.-q.....aH5
    0020 - 3b ac b8 66 dd f3 f1 f2-e5 bc aa b9 2b e8 b2 56 
;..f........+..V
    0030 - ad 3b 8c 9b 80 2b 02 73-4a 2d 78 57 ec 04 42 2c 
.;...+.sJ-xW..B,
    0040 - bc 8d 12 01 36 62 36 33-63 19 4e 10 f8 fe b4 86 
....6b63c.N.....
    0050 - 3b 84 c8 e4 d4 ed e2 32-ab b6 92 98 e6 4b 0f 12 
;......2.....K..
    0060 - d4 39 96 d0 ef bd 5e bf-5c a7 67 58 d0 93 27 fa 
.9....^.\.gX..'.
    0070 - 04 49 08 bf fa db 3e 16-5a 14 2b 26 e6 23 4e 17 
.I....>.Z.+&.#N.
    0080 - d4 8f bf c0 29 27 1e 06-eb 4a 17 94 8f 0b 4a 99 
....)'...J....J.
    0090 - 0a e6 5b 84 a9 70 65 6e-8c ae b4 34 da e4 9e fd 
..[..pen...4....
    00a0 - 49 8a 19 4c 04 03 75 70-70 8f f9 71 cd f7 6e fc 
I..L..upp..q..n.
    00b0 - 75 37 30 48 ee 5e 7f 93-84 20 0d 0e 1b e4 f3 76   u70H.^... 
.....v
    00c0 - 58 d7 47 a5 68 4f 2f da-9b 4d f4 52 59 42 c9 1b 
X.G.hO/..M.RYB..
    00d0 - 74 8f d6 fe 90 66 67 22-06 3e 07 2b b1 e7 25 0e 
t....fg".>.+..%.
    00e0 - 92 aa ac 10 54 50 45 27-bd db 9f ec a7 31 f2 
....TPE'.....1.


    Start Time: 1710942237
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

220 smtp.gmail.com ESMTP 
b10-20020a170903228a00b001e026392e9csm6415371plh.51 - gsmtp

Q
DONE
--------8<--------8<--------8<--------


I have configured sender_dependent_default_transport_maps so the mail 
sender @gmail.com would use smtp.gmail:[smtp.gmail.com]:465


The smtp.gmail is below
--------8<--------8<--------8<--------
smtp.gmail   unix  -       -       n       -       -       smtp
    -o smtp_generic_maps=regexp:/etc/postfix/smtp_generic_maps
    -o smtp_header_checks=pcre:/etc/postfix/smtp_header_checks
    -o smtp_helo_name=localhost
    -o smtp_tls_wrappermode=yes
    -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
--------8<--------8<--------8<--------

Of course, I also configured the smtp_sasl_password_maps to login to gmail.


I believe my transport and sasl configurations are well since the 
problem is postfix thinks smtp.gmail.com:465 uses self-signed certificate.


Do you have idea to solve this problem ?
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org






















					Reply via email to