How to Fix “Postfix Untrusted TLS Connection” and Improve Email Deliverability with Let’s Encrypt


2 views

When your Postfix server logs show "Untrusted TLS connection established to gmail-smtp-in.l.google.com", it means that while the connection is encrypted, Postfix doesn't trust the remote server's certificate. This is normal behavior when connecting to many mail servers (including Google's) because they often use certificates issued by CAs that aren't in Postfix's default trust store.

Despite the "untrusted" label in logs, your emails are still being transmitted over encrypted channels. The warning appears because:

  • Google uses certificates from their own CA (not public CAs)
  • Postfix by default doesn't have Google's CA in its trust store
  • This is standard practice for many large email providers

While proper TLS setup is important, these factors have greater impact on whether Gmail marks your emails as spam:

# Essential DNS records you must have:
- A/AAAA records for your mail server
- PTR (reverse DNS) record matching your forward DNS
- MX records properly configured
- SPF record (TXT)
- DKIM signature
- DMARC policy (TXT)

While your current setup works, here's an optimized configuration:

# /etc/postfix/main.cf additions
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.your-domain.com/privkey.pem
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1

Use these commands to test your configuration:

# Check if port 25 (SMTP) is properly secured
openssl s_client -connect mail.your-domain.com:25 -starttls smtp

# Check submission port (587)
openssl s_client -connect mail.your-domain.com:587 -starttls smtp

# Verify certificate chain
openssl x509 -in /etc/letsencrypt/live/mail.your-domain.com/cert.pem -text -noout

To significantly improve deliverability:

  1. Implement DKIM signing with OpenDKIM:
    2. # /etc/opendkim.conf
Domain                  your-domain.com
KeyFile                 /etc/opendkim/keys/your-domain.com.private
Selector                mail
Socket                  inet:8891@localhost
  2. Configure SPF record (TXT):
    3. "v=spf1 mx a:mail.your-domain.com -all"
  3. Set up DMARC policy:
    4. "v=DMARC1; p=none; rua=mailto:postmaster@your-domain.com"

Use these tools to check your server's reputation:

  • Google Postmaster Tools (for Gmail-specific data)
  • MXToolbox SuperTool
  • Mail-Tester.com
  • SenderScore.org

Remember that building good email reputation takes time. Even with perfect configuration, new IP addresses often need to "warm up" over several weeks.

When your Postfix server logs show "Untrusted TLS connection established to gmail-smtp-in.l.google.com", this indicates your server is accepting TLS connections but isn't properly validating the remote server's certificate. This doesn't necessarily mean your emails will be marked as spam, but it's part of a larger email authentication puzzle.

Your current setup is partially correct, but needs these crucial additions to /etc/postfix/main.cf:

# Enhanced TLS configuration
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = encrypt
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes

Create /etc/postfix/tls_policy with these contents:

# Force TLS for major providers
gmail-smtp-in.l.google.com encrypt
*.outlook.com encrypt
*.yahoo.com encrypt

Then compile it with:

sudo postmap /etc/postfix/tls_policy

Let's Encrypt certificates should work fine, but you must ensure the chain is complete. Test with:

openssl s_client -connect mail.your-domain.com:25 -starttls smtp -showcerts

Look for "Verify return code: 0 (ok)" in the output.

TLS alone won't solve deliverability issues. Implement these essential records in your DNS:

# SPF record
v=spf1 mx a:mail.your-domain.com -all

# DKIM record (example - actual will vary)
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

# DMARC record
v=DMARC1; p=none; rua=mailto:postmaster@your-domain.com

Use these tools to verify your setup:

# Test TLS connectivity
openssl s_client -connect gmail-smtp-in.l.google.com:25 -starttls smtp

# Check email authentication
nslookup -type=TXT your-domain.com

After applying changes, watch logs for improvements:

sudo tail -f /var/log/mail.log | grep -i tls

You should now see entries like "Trusted TLS connection established" when communicating with properly configured mail servers.