ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Postfix TLS is Failing to Establish a Certificate Chain for the Relying SMTP Server


Article ID: 158313


Updated On:


Mobility Suite


Emails are not being delivered from the App Center server

Errors may include:

  • status=deferred
  • Connection timed out
  • warning: relayhost
  • configuration problem
  • Host not found


If Postfix is configured to use TLS but there is no root CAcert.pem specifying a Certificate Authority.


Note: This tutorial will not outline how to configure the postfix server.

1. Verify that the following lines are in the /etc/postfix/ file:

    relayhost = []:587
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    smtp_tls_CAfile = /etc/postfix/cacert.pem
    smtp_use_tls = may

The above lines configure Postfix to relay mail through on a specific port, telling it to authenticate and where to find the username and password.  The last three lines specify the authentication types supported, where the certificate-authority-file is and that it should use TLS.

2. Define Username and Password:

a. Populate the sasl_passwd file.  Create the file /etc/postfix/sasl_passwd with the following contents:

    []:587    [email protected]:password

3. This file should have restrictive permissions and then needs to be translated into a .db that Postfix will read.

    sudo chmod 400 /etc/postfix/sasl_passwd
    sudo postmap /etc/postfix/sasl_passwd

4. Next add the attached cacert.pem bundle to the /etc/postfix directory.  If an in-house CA is being used, add that CA's chain to this file.

5. Restart postfix by running the following command:

    sudo /etc/init.d/postfix reload

Applies To

CentOS 5.8; RHEL 5.8


cacert.pem get_app