Postfix sending emails to gmail

[scool]

Hello all.
I need your help about an issue with a Plesk11 server running postfix daemon.

Searched on several forums / KB's , but still not found an acceptable solution.
The main issue is that all domains hosted on this server, when trying to send email to @gmail.com , Google send those email to spam folder.

Maillog generated the following
certificate verification failed for aspmx.l.google.com[173.194.70.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

I found this error on several forums and posts.
seemed Gmail now uses certificate from Equifax rather than Thawte before.

What changes needed to be on our servers and postfix in order to avoid user email delivered to spam gmail folder?

I really appreciate any help
OS CentOS 6.4 (Final)
Panel version 11.0.9 Update #48

 

[JohnBritto]

Suffering from same error. +1 .any workaround .. anybody. Followed this POST of GregHL, but its not working.

Awaiting response.
Centos 6.4
Panel version 11.5.30

Hello all.
I need your help about an issue with a Plesk11 server running postfix daemon.

Searched on several forums / KB's , but still not found an acceptable solution.
The main issue is that all domains hosted on this server, when trying to send email to @gmail.com , Google send those email to spam folder.

Maillog generated the following
certificate verification failed for aspmx.l.google.com[173.194.70.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

I found this error on several forums and posts.
seemed Gmail now uses certificate from Equifax rather than Thawte before.

What changes needed to be on our servers and postfix in order to avoid user email delivered to spam gmail folder?

I really appreciate any help
OS CentOS 6.4 (Final)
Panel version 11.0.9 Update #48

 

[InderS]

Please check : http://stevejenkins.com/blog/2011/0...led-for-gmail-untrusted-issuer-error-message/

 

[JohnBritto]

Please check : http://stevejenkins.com/blog/2011/0...led-for-gmail-untrusted-issuer-error-message/

Hi, I followed your link discription..

But i dont have any cacert file in /etc/postfix/ssl/ . ssl directory not exist.

What i have is in /etc/postfix/main.cf : smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
I did cat for Equifax and thawte certificate into postfix_default.pem but still.. the error continues..

postfix/smtp[12959]: certificate verification failed for aspmx.l.google.com[2607:f8b0:4002:c01::1b]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

FYI, my plesk postfix main.cf is as follow

readme_directory = /usr/share/doc/postfix-2.8.14/README_FILES
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox
transport_maps = hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks = 127.0.0.0/8 [::1]/128 xx.08.xx.xx/32 [2607:f1c0:841:fa00::48:14c]/128 192.168.44.1/32 172.16.150.1/32
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, ch$
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, check_client_access pcre:/var/spool/postfix/plesk/no_relay.re, permit$
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:110
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
non_smtpd_milters = , inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
myhostname = xxx.xxx-server.com
message_size_limit = 10240000

Let me know the workaround.

Centos 6.4 x86_64
Parallels Plesk Panel 11.5.30

 

[ontwerps]

JohnBritto,

I have the same problem did you find a solution?

 

[JohnBritto]

JohnBritto,

I have the same problem did you find a solution?

Not yet . Still waiting for parallels to reply.

 

[IgorG]

Are you sure that IP of your server is not blacklisted by Google? Have you checked Google requirements http://www.google.com/mail/help/bulk_mail.html ?

 

[JohnBritto]

Are you sure that IP of your server is not blacklisted by Google? Have you checked Google requirements http://www.google.com/mail/help/bulk_mail.html ?

Thanks for replying IgorG.

I have no issue in sendnig email via google SMTP servers. I use google apps for my domain.
Whenever sending an email, i get to see google complains of certification verification error in plesk mail logs. as i posted in previous posts.

Could suggest way to replace the google certificate. I always keep my plesk with latest updates. Yet i get to see the error.

Pls advice.
Thanks.

 

[tech01]

Same Issue

I have no issue in sendnig email via google SMTP servers. I use google apps for my domain.
Whenever sending an email, i get to see google complains of certification verification error in plesk mail logs. as i posted in previous posts.

This is the only site I have found that correctly identifies the problem and that there is no resolution as of yet. If you have found this site after searching the web it is likely you are in the correct place.

I have the same issue with sending from server to email domains hosted on Google Apps. Does not prevent sending just complains a bit.

Mar 2 19:07:48 localhost postfix/pickup[18514]: ID: uid=0 from=<localname@localhost>
Mar 2 19:07:48 localhost postfix/cleanup[18618]: ID: message-id=<#######@localhost>
Mar 2 19:07:48 localhost postfix/qmgr[18513]: ID: from=<localname@localhost>, size=2513, nrcpt=1 (queue active)
Mar 2 19:07:49 localhost postfix/smtp[18595]: certificate verification failed for aspmx.l.google.com[74.125.29.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Mar 2 19:07:49 localhost postfix/smtp[18595]: ID: to=<localname@localhost>, relay=ASPMX.L.GOOGLE.COM[74.125.29.27]:25, delay=1.4, delays=0.82/0/0.44/0.18, dsn=2.0.0, status=sent (250 2.0.0 OK 1393805268 q3si2211595qcz.88 - gsmtp)
Mar 2 19:07:49 localhost postfix/qmgr[18513]: ID: removed

As you can see it goes through but that extra line indicates a warning issue that I'd like to see if I can make go away. I have seen on some sites I should add a relay host to my.cnf but I'm not so sure that is the correct method since it is just complaining about the untrusted issuer. With multiple domains on the localhost I wonder if there might be a fix in the next MU.

 

[tech01]

Years pass and the solution is:

http://forum.parallels.com/showthre...-to-edit-without-risk-of-it-being-overwritten

# mkdir ~root/pem-files;
# cd ~root/pem-files/;
# wget http://curl.haxx.se/ca/cacert.pem;
# wget https://www.geotrust.com/resources/...tes/Equifax_Secure_Certificate_Authority.pem;
# wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_eBusiness_CA-1.pem;
# wget https://www.geotrust.com/resources/...tes/Equifax_Secure_Global_eBusiness_CA-1.pem;
# cat cacert.pem Equi*pem > cacert-master.pem;
# cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.back;
# cat cacert-master.pem > /etc/pki/tls/certs/ca-bundle.crt;

(HERE IS THE CATCH)
UPDATE OR *ADD* the following link in /etc/postfix/main.cf (note: should be around 683 or so)
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

Write the file to disk and quit ":wq" then
# service postfix restart

No more error:
certificate verification failed for aspmx.l.google.com[74.125.29.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

 

[JohnBritto]

Years pass and the solution is:

http://forum.parallels.com/showthre...-to-edit-without-risk-of-it-being-overwritten

# mkdir ~root/pem-files;
# cd ~root/pem-files/;
# wget http://curl.haxx.se/ca/cacert.pem;
# wget https://www.geotrust.com/resources/...tes/Equifax_Secure_Certificate_Authority.pem;
# wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_eBusiness_CA-1.pem;
# wget https://www.geotrust.com/resources/...tes/Equifax_Secure_Global_eBusiness_CA-1.pem;
# cat cacert.pem Equi*pem > cacert-master.pem;
# cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.back;
# cat cacert-master.pem > /etc/pki/tls/certs/ca-bundle.crt;

(HERE IS THE CATCH)
UPDATE OR *ADD* the following link in /etc/postfix/main.cf (note: should be around 683 or so)
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

Write the file to disk and quit ":wq" then
# service postfix restart

No more error:
certificate verification failed for aspmx.l.google.com[74.125.29.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Thanks for the answer. Finally the warning disappeared. I followed the steps.
There is no "smtp_tls_CAfile" so i have to manually append that.

At first try i get the following error in the logs..

cannot load Certificate Authority data: disabling TLS support
Jul 14 04:44:28 sodexis postfix/smtp[13574]: warning: TLS library problem: 13574:error:0906D066EM routinesEM_read_bio:bad end lineem_lib.c:802:
Jul 14 04:44:28 sodexis postfix/smtp[13574]: warning: TLS library problem: 13574:error:0B084009:x509 certificate routines:X509_load_cert_crl_fileEM lib:by_file.c:285:

This is due to some last 3 certificates added in ca-bundle.crt has ^M-terminated . Ref: http://serverfault.com/questions/316907/ssl-error-unable-to-read-server-certificate-from-file

After clearing that using VIM editor.
Restarting postfix. solved the issue.

Thanks all.

 

[tech01]

Awesome add John, Thanks! I'll have to go back and look at mine, it was pretty late in the morning to solve two PLESKy issues