Postfix TLS is Failing to Establish a Certificate Chain for the Relying SMTP Server

book

Article ID: 158313

calendar_today

Updated On:

Products

Mobility Suite

Issue/Introduction

Emails are not being delivered from the App Center server

Errors may include:

  • status=deferred
  • Connection timed out
  • warning: relayhost
  • configuration problem
  • Host not found

Cause

If Postfix is configured to use TLS but there is no root CAcert.pem specifying a Certificate Authority.

Resolution

Note: This tutorial will not outline how to configure the postfix server.

1. Verify that the following lines are in the /etc/postfix/main.cf file:


    relayhost = [thesmptserver.com]:587
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    smtp_tls_CAfile = /etc/postfix/cacert.pem
    smtp_use_tls = may

The above lines configure Postfix to relay mail through yoursmptserver.com on a specific port, telling it to authenticate and where to find the username and password.  The last three lines specify the authentication types supported, where the certificate-authority-file is and that it should use TLS.

2. Define Username and Password:


a. Populate the sasl_passwd file.  Create the file /etc/postfix/sasl_passwd with the following contents:

    [thesmptserver.yourdomain.com]:587    [email protected]:password


3. This file should have restrictive permissions and then needs to be translated into a .db that Postfix will read.

    sudo chmod 400 /etc/postfix/sasl_passwd
    sudo postmap /etc/postfix/sasl_passwd

4. Next add the attached cacert.pem bundle to the /etc/postfix directory.  If an in-house CA is being used, add that CA's chain to this file.

5. Restart postfix by running the following command:

    sudo /etc/init.d/postfix reload


Applies To

CentOS 5.8; RHEL 5.8

Attachments

cacert.pem get_app