Trusted TLS with Postfix

If you’re seeing a lot of messages about untrusted TLS connections in your mail log when running postfix like this…

Untrusted TLS connection established to ASPMX.L.GOOGLE.com[172.217.197.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

… there’s a pretty easy fix.

This fix assumes you have SSL certificates correctly created & configured with postfix.

Edit the file /etc/postfix/main.cf and add the following lines …

smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs

… then restart postfix.

You should then start seeing most of those untrusted connections as trusted.

Trusted TLS connection established to aspmx.l.google.com[172.217.197.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

You may still see some untrusted connections, but those are probably servers that aren’t using a SSL certificate that was issued from a valid certificate authority (CA). Usually these are self signed certificates.

It’s quite easy to configure postfix to use a Lets Encrypt certificate … but that’s another post.

Related posts ...
Although not directly supported, it's quite possible to use the LetsEncrypt certbot client on Amazon
We bit the bullet ... we got iPhones.   Our Verizon cell phone contract has
Here's a tip for internet domain owners: Make sure the contact information for your domain
Our area has never gotten good cell phone coverage.  Doesn't really mater what carrier we

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.