> On Jan 21, 2019, at 2:40 AM, phoenixsagar <phoenixsag...@gmail.com> wrote: > > Logs are like : > postfix/backend/smtp[95117]: CA certificate verification failed for > abc-abc.mail.abc.outlook.com[111.111.111.111]:25: certificate has expired
The key context here is "CA certificate verification". The expired certificate is an issuer CA certificate, not the leaf server certificate. This could be either sent by the remote server, or found in the local trust store. Not infrequently, the problem is a stale certificate in the local trust store, which does need to be kept up to date. Make sure you don't have stale intermediate CA certs in your trust store. Also post the certificates sent on the wire, which you can capture with: $ posttls-finger -cC -Lsummary example.com FWIW, the relevant source code is below. Perhaps the "depth" should also have been logged to give a more complete context. tls_verify.c: /* tls_log_verify_error - Report final verification error status */ void tls_log_verify_error(TLS_SESS_STATE *TLScontext) { ... int depth = TLScontext->errordepth; #define PURPOSE ((depth>0) ? "CA": TLScontext->am_server ? "client": "server") ... case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: msg_info("%s certificate verification failed for %s: certificate has" " expired", PURPOSE, TLScontext->namaddr); break; ... } -- Viktor.