Mail delivery to Gmail account fails: certificate verification failed for *.l.google.com

Created:

2016-11-16 12:56:48 UTC

Modified:

2017-04-27 11:36:14 UTC

1

Was this article helpful?


Have more questions?

Submit a request

Mail delivery to Gmail account fails: certificate verification failed for *.l.google.com

Applicable to:

  • Plesk for Linux

Symptoms

Outgoing mail delivery to Gmail (or other server which has SSL enabled and configured with valid certificate) accounts fails with error in /usr/local/psa/var/log/maillog :

from=<local@example.com>, size=666, nrcpt=1 (queue active)
certificate verification failed for gmail-smtp-in.l.google.com: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
F01C9680292: to=<test@gmail.com>

Note: There may be another address of Gmail's SMTP server, like aspmx.l.google.com . This solution is valid for any cases where messages contain untrusted issuer string.

Cause

Certificate Authority (CA) certificate is missing in /etc/postfix/main.cf .

The server does not trust valid CAs.

Resolution

  1. Make sure that file /etc/pki/tls/certs/ca-bundle.crt exists (it contains information about valid CAs).

  2. Update OpenSSL package if possible in order to get fresh version of CA bundle.

  3. Add line smtp_tls_CAfile to /etc/postfix/main.cf file as shown below:

    # grep smtp_tls_CAfile /etc/postfix/main.cf
    smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
  4. Restart postfix daemon to apply the changes:

    # /etc/init.d/postfix restart
    Stopping postfix: [ OK ]
    Starting postfix: [ OK ]
Have more questions? Submit a request
Please sign in to leave a comment.