Trusted TLS with Postfix

If you’re seeing a lot of messages about untrusted TLS connections in your mail log when running postfix like this…

Untrusted TLS connection established to ASPMX.L.GOOGLE.com[172.217.197.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

… there’s a pretty easy fix.

This fix assumes you have SSL certificates correctly created & configured with postfix.

Edit the file /etc/postfix/main.cf and add the following lines …

smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs

… then restart postfix.

You should then start seeing most of those untrusted connections as trusted.

Trusted TLS connection established to aspmx.l.google.com[172.217.197.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

You may still see some untrusted connections, but those are probably servers that aren’t using a SSL certificate that was issued from a valid certificate authority (CA). Usually these are self signed certificates.

It’s quite easy to configure postfix to use a Lets Encrypt certificate … but that’s another post.

Leave a Reply

Your email address will not be published. Required fields are marked *