If you’re seeing a lot of messages about untrusted TLS connections in your mail log when running postfix like this…
Untrusted TLS connection established to ASPMX.L.GOOGLE.com[220.127.116.11]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
… there’s a pretty easy fix.
This fix assumes you have SSL certificates correctly created & configured with postfix.
Edit the file /etc/postfix/main.cf and add the following lines …
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs
… then restart postfix.
You should then start seeing most of those untrusted connections as trusted.
Trusted TLS connection established to aspmx.l.google.com[18.104.22.168]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
You may still see some untrusted connections, but those are probably servers that aren’t using a SSL certificate that was issued from a valid certificate authority (CA). Usually these are self signed certificates.
It’s quite easy to configure postfix to use a Lets Encrypt certificate … but that’s another post.