Apparently Amazon SES changed their security cert about a week ago. I found out yesterday that ALL of my outgoing mail from my server has been bouncing. I took this opportunity to alter my postfix config so that my mail sends mail via SES using an smtp gateway. HOWEVER, I get a warning that the amazon gateway is not trusted:
Code:
Oct 2 20:02:04 ip-10-64-70-28 postfix/pickup[2877]: D330110180: uid=33 from=<www-data>
Oct 2 20:02:04 ip-10-64-70-28 postfix/cleanup[3245]: D330110180: message-id=<20151002200204.D330110180@www.mydomain.com>
Oct 2 20:02:04 ip-10-64-70-28 postfix/qmgr[2878]: D330110180: from=<noreply@myplan.com>, size=1164, nrcpt=1 (queue active)
Oct 2 20:02:04 ip-10-64-70-28 postfix/error[3247]: D330110180: to=<someuser@example.com>, relay=none, delay=0.09, delays=0.05/0.01/0/0.03, dsn=4.7.5, status=deferred (delivery temporarily suspended: Server certificate not trusted)
I see in my postfix main.cf that we use certain settings:
Code:
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/etc/postfix/password
smtp_sasl_security_options = noanonymous
#smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
smtp_tls_security_level = secure
I'm guessing that for some reason, amazon's cert is not trusted by /etc/ssl/certs/ca-certificates.crt . Does that sound right?
How does one solve this problem? There are bazillions of certs in /etc/ssl/certs.
Why would my server not trust email-smtp.us-east-1.amazonaws.com ?