certificate verification failed for alt2.gmail-smtp-in.l.google.com

njules

Hello community,
since last week I’m not able to send mails to google (gmail.com). The error says
certificate verification failed for alt1.gmail-smtp-in.l.google.com[172.253.116.27]:25: untrusted issuer /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
although a docker-compose exec postfix-mailcow openssl s_client -connect gmail-smtp-in.l.google.com:25 -starttls smtp -CApath /etc/ssl/certs gives back Verify return code: 0 (ok)
I’m using an official wildcard certificate which is also implemented in an other Mailserver (Proxmox Mailgateway and unrelated to this mailrouting).
Complete errormessage:

01.12.2025, 11:21:50    info    4D594C0B4C: to=<anon1@gmail.com>, relay=alt2.gmail-smtp-in.l.google.com[173.194.76.26]:25, delay=239803, delays=239802/0.13/0.92/0, dsn=4.7.5, status=deferred (Server certificate not verified)
01.12.2025, 11:21:50	info	2A79BC0AAD: to=<anon2@gmail.com>, relay=alt2.gmail-smtp-in.l.google.com[173.194.76.27]:25, delay=429108, delays=429107/0.08/0.97/0, dsn=4.7.5, status=deferred (Server certificate not verified)
01.12.2025, 11:21:50	info	4E29AC0B52: to=<anon2@gmail.com>, relay=alt2.gmail-smtp-in.l.google.com[173.194.76.27]:25, delay=240573, delays=240572/0.07/0.94/0, dsn=4.7.5, status=deferred (Server certificate not verified)
01.12.2025, 11:21:50	info	Untrusted TLS connection established to alt2.gmail-smtp-in.l.google.com[173.194.76.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256
01.12.2025, 11:21:50	info	certificate verification failed for alt2.gmail-smtp-in.l.google.com[173.194.76.26]:25: untrusted issuer /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
01.12.2025, 11:21:50	info	Untrusted TLS connection established to alt2.gmail-smtp-in.l.google.com[173.194.76.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256
01.12.2025, 11:21:50	info	certificate verification failed for alt2.gmail-smtp-in.l.google.com[173.194.76.27]:25: untrusted issuer /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
01.12.2025, 11:21:50	info	Untrusted TLS connection established to alt2.gmail-smtp-in.l.google.com[173.194.76.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256
01.12.2025, 11:21:50	info	certificate verification failed for alt2.gmail-smtp-in.l.google.com[173.194.76.27]:25: untrusted issuer /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
01.12.2025, 11:21:50	info	connect to alt1.gmail-smtp-in.l.google.com[2a00:1450:400b:c02::1a]:25: Network is unreachable
01.12.2025, 11:21:50	info	2A79BC0AAD: Server certificate not verified
01.12.2025, 11:21:50	info	Untrusted TLS connection established to alt1.gmail-smtp-in.l.google.com[172.253.116.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256
01.12.2025, 11:21:50	info	certificate verification failed for alt1.gmail-smtp-in.l.google.com[172.253.116.27]:25: untrusted issuer /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
01.12.2025, 11:21:50	info	connect to alt1.gmail-smtp-in.l.google.com[2a00:1450:400b:c02::1b]:25: Network is unreachable
01.12.2025, 11:21:50	info	4D594C0B4C: Server certificate not verified
01.12.2025, 11:21:50	info	Untrusted TLS connection established to alt1.gmail-smtp-in.l.google.com[172.253.116.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256
01.12.2025, 11:21:50	info	certificate verification failed for alt1.gmail-smtp-in.l.google.com[172.253.116.27]:25: untrusted issuer /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

Any help is appreciated!
Thanks

njules

ETNyx

We do not see into your system, but your test using openssl may be false positive. MC postfix use /etc/ssl/certs/ca-certificates.crt for validating CA, your test use -CApath /etc/ssl/certs that may be different set, so check this,…

njules

Output of docker-compose exec postfix-mailcow openssl s_client -connect gmail-smtp-in.l.google.com:25 -starttls smtp -CAfile /etc/ssl/certs/ca-certificates.crt

CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WR2
verify return:1
depth=0 CN = mx.google.com
verify return:1
---
Certificate chain
 0 s:CN = mx.google.com
   i:C = US, O = Google Trust Services, CN = WR2
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 27 08:34:55 2025 GMT; NotAfter: Jan 19 08:34:54 2026 GMT
 1 s:C = US, O = Google Trust Services, CN = WR2
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGxDCCBaygAwIBAgIRAPIQ/KJgr09AEEHtj41dnoQwDQYJKoZIhvcNAQELBQAw
OzELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczEM
MAoGA1UEAxMDV1IyMB4XDTI1MTAyNzA4MzQ1NVoXDTI2MDExOTA4MzQ1NFowGDEW
MBQGA1UEAxMNbXguZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BJOqfkovUfK2DZII3DkzEEcFeoWxWuAcyt2CieyE4FQsAhJM7vNzXax76MOl3aOb
rReRqjgalsQhX4Lv2GD082ujggSvMIIEqzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0l
BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUEdgObEUkoHck
9HQDpFSFxA3TpPwwHwYDVR0jBBgwFoAU3hse7XkV1D43JMMhu+w0OW1CsjAwWAYI
KwYBBQUHAQEETDBKMCEGCCsGAQUFBzABhhVodHRwOi8vby5wa2kuZ29vZy93cjIw
JQYIKwYBBQUHMAKGGWh0dHA6Ly9pLnBraS5nb29nL3dyMi5jcnQwggKGBgNVHREE
ggJ9MIICeYINbXguZ29vZ2xlLmNvbYIPc210cC5nb29nbGUuY29tghJhc3BteC5s
Lmdvb2dsZS5jb22CF2FsdDEuYXNwbXgubC5nb29nbGUuY29tghdhbHQyLmFzcG14
LmwuZ29vZ2xlLmNvbYIXYWx0My5hc3BteC5sLmdvb2dsZS5jb22CF2FsdDQuYXNw
bXgubC5nb29nbGUuY29tghpnbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0
MS5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0Mi5nbWFpbC1zbXRwLWlu
LmwuZ29vZ2xlLmNvbYIfYWx0My5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIf
YWx0NC5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIYZ21yLXNtdHAtaW4ubC5n
b29nbGUuY29tgh1hbHQxLmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0Mi5n
bXItc210cC1pbi5sLmdvb2dsZS5jb22CHWFsdDMuZ21yLXNtdHAtaW4ubC5nb29n
bGUuY29tgh1hbHQ0Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYINbXgxLnNtdHAu
Z29vZ4INbXgyLnNtdHAuZ29vZ4INbXgzLnNtdHAuZ29vZ4INbXg0LnNtdHAuZ29v
Z4IVYXNwbXgyLmdvb2dsZW1haWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22C
FWFzcG14NC5nb29nbGVtYWlsLmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tghFn
bXItbXguZ29vZ2xlLmNvbTATBgNVHSAEDDAKMAgGBmeBDAECATA2BgNVHR8ELzAt
MCugKaAnhiVodHRwOi8vYy5wa2kuZ29vZy93cjIvNzVyNFp5QTN2QTAuY3JsMIIB
AwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUAFoMtq/CpJQ8P8DqlRf/Iv8gj0IdL9gQp
J/jnHzMT9foAAAGaJQVR8AAABAMARjBEAiAJWz8Qurtds6H59E08MR9tWtKFOgvC
TYUQ8jDgCmyLMAIgNyEtg9ws/gumLRvdqOt+CIXxN9B0SPO+ivhac6Auv/oAdgCW
l2S/VViXrfdDh2g3CEJ36fA61fak8zZuRqQ/D8qpxgAAAZolBVIDAAAEAwBHMEUC
IQDgUWpxxqKZtert1NjWeBma+qS+09KA64wsyjy5bYLhtgIgE9xW0abwsWxPaOWu
KzrvT73d+t9rq0WzQoIF7CMzf7swDQYJKoZIhvcNAQELBQADggEBAFPuFE7gszeT
zxIhELAguOU2OcGrhLnj69UzYadL8Tj/0hk6PAptDLb9mOxVfqhFt1BQ7KhQvfeu
gAv75Rsbq+jnFPZVDLF373aqDm8oa5y/RADRr74COPDpLVoeF+dF16BZZRVc5i0M
ylcNhQGWh8NPd3lE7H2Xx59oMkhlRD9uETu/lOU1ufKscHUruVAuVDxaX2tBW9Mw
WVERn0+CdcaiMDaOHTJ7FIsWutF8eVJtjIjZTRitoPelDHK7Vc8X6t3D5AgJfs2j
pyswLQ1u5olDzxBc3WRLvnASceNHmsg1OKJxtE4DYKqzBeQ0L/MQymZDkbPv0uVd
ihWuCCXZtp0=
-----END CERTIFICATE-----
subject=CN = mx.google.com
issuer=C = US, O = Google Trust Services, CN = WR2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5002 bytes and written 445 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 SMTPUTF8

I can’t see a problem here…

Edit: My containers are all up to date using stable updates (master) running on Ubuntu 22.04.5 LTS.
Additional errormessage (adresses anonymized):

Reporting-MTA: dns; mx2.mydomain.de
X-Postcow-Queue-ID: 3AB6EC0B70
X-Postcow-Sender: rfc822; njules_notactualemailaddress@mydomain.de
Arrival-Date: Mon,  1 Dec 2025 09:13:09 +0100 (CET)

Final-Recipient: rfc822; njules_notactualemailaddress@gmail.com
Original-Recipient: rfc822;njules_notactualemailaddress@gmail.com
Action: failed
Status: 5.7.5
Diagnostic-Code: X-Postcow; Server certificate not verified

njules

I’ve noticed that the compose file (docker-compose.yml) maps ./data/assets/ssl:/etc/ssl/mail/:ro,z to the postfix-container, but the postfix main.conf uses smtp_tls_CApath=/etc/ssl/certs. So I’ve copied /etc/ssl/mail/ca-certificates.crt to /etc/ssl/certs/ca-certificates.crt. For now the connection to Google can be established again and my mails are correctly sent.