On Mon, Feb 10, 2014 at 11:05:50AM -0500, Norton Allen wrote: > I've noticed the following in my logs: > > Feb 9 04:10:01 endymion postfix/smtp[21298]: certificate > verification failed for gmail-smtp-in.l.google.com: num=20:unable to > get local issuer certificate > Feb 9 04:10:01 endymion postfix/smtp[21298]: certificate > verification failed for gmail-smtp-in.l.google.com: > num=27:certificate not trusted
Harmless, newer versions of Postfix don't log these warnings when TLS is opportunistic. You can upgrade if you find these warnings disquieting. > 1) Is this a misconfiguration on gmail's part? Should they be > including the intermediate cert along with the host cert during SSL > negotiation? (just to help me understand my own configuration) Postfix ignores the system certificate bundle by default. Only certificates listed in "smtp_tls_CAfile" or (if c_rehash is run with the directory as argument) "smtp_tls_CApath". > 2) Is my best option to include the intermediate cert in my > ca-bundle.crt? And/or can I list more than one bundle so I don't > have to hack the bundle that yum is maintaining? No. > 3) Or should I just disable TLS for SMTP? You should just ignore these warnings. With smtp_tls_security_level = may unauthenticated connections are just as good as authenticated connections, and authentication warnings are a distraction. -- Viktor.