Gmail on Postfix: Updating your Certificates

Posted on June 21, 2010 by admin

There are many guides on the web for setting up a postfix mail server to work with gmail, for example:

http://www.marksanborn.net/linux/send-mail-postfix-through-gmails-smtp-on-a-ubuntu-lts-server/

I have a separate gmail account for sending server notifications, such as mdadm failures, SMART warnings, etc.  Step 4 of the guide given above involves copying the Thawte Premium Server Certificate Authority to the end of your server certificate.  Recently, my setup stopped working and I noticed the following errors in /var/log/mail.info:

Jun 11 03:47:38 ******* postfix/smtp[2496]: certificate verification failed for smtp.gmail.com[74.125.113.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Jun 11 03:47:38 ******* postfix/smtp[2452]: Untrusted TLS connection established to smtp.gmail.com[74.125.113.109]:587: TLSv1 with cipher RC4-MD5 (128/128 bits)
Jun 11 03:47:38 ******* postfix/smtp[2452]: C702D32C1A7: to=<*******>, relay=smtp.gmail.com[74.125.113.109]:587, delay=420914, delays=420912/0.08/2.5/0, dsn=4.7.5, status=deferred (Server certificate not trusted)
Jun 11 03:47:38 ******* postfix/smtp[2506]: certificate verification failed for smtp.gmail.com[74.125.113.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Jun 11 03:47:38 ******* postfix/smtp[2514]: certificate verification failed for smtp.gmail.com[74.125.113.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Jun 11 03:47:38 ******* postfix/smtp[2483]: Untrusted TLS connection established to smtp.gmail.com[74.125.113.109]:587: TLSv1 with cipher RC4-MD5 (128/128 bits)
Jun 11 03:47:38 ******* postfix/smtp[2496]: Untrusted TLS connection established to smtp.gmail.com[74.125.113.109]:587: TLSv1 with cipher RC4-MD5 (128/128 bits)

It turns out that gmail now uses a different Certificate Authority: Equifax Secure Certificate Authority.  So, to get things working again, simply use the Equifax certificate in step 4.  The Equifax Secure Certificate Authority can be found here:

https://www.geotrust.com/resources/root-certificates/index.html

This entry was posted in Software and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>