Fix for Postfix Certificate Verification Failed for Gmail Untrusted Issuer

Posted on April 19, 2013

postfix/smtp: certificate verification failed for[]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

If you’re seeing this too, there’s an easy fix.

The problem stems from the fact that Google changed certificate providers from Thawte to Equifax, and your mail system doesn’t recognize the Equifax certificate authority as valid. The solution is to add a copy of the Equifax certificate to Postfix’s local root certificate store. And while we’re at it, we may as well add Thawte’s as well.

Step 1: Back up your original root certificate store

Before messing with any of the settings, do the following to backup your original root certificate:

Step 2: Create local copies of Equifax and Thawte certificates

Using your favorite text editor, create a file called Equifax_Secure_CA.pem in the /etc/postfix/ssl directory. Paste the following into the file:

Next, create the new certificate file

Paste the following into that file

Step 3: Add the Equifax and Thawte certificates into your local root certificate file

Add the two new certificates into your local root certificate file with:

(the second command above adds a line break between the two certs in your local root cert file)

Step 4: Restart Postfix

Restart Postfix with:

Send a message through your SMTP server to a Gmail test address and you should no longer see those errors in your maillog


  • Adam Chng says:

    Thanks, helpful, but only worked for me after adding the following line to /etc/postfix/

    smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem

    and then restarting postfix.

  • Jorge_C says:

    Something happened to your formatting, it says > instead of >

Leave a Reply

Your email address will not be published.

Contact Us

Have a question? Send us a message. We'll get back to you soon.