The Gmail Red Lock Problem: Encrypting Outbound Email


New Member
May 16, 2023
Hi all,
I've finally configured my Exchange 2019 server to send mail through PMG instead of direct to internet. I'm able to send and receive email, however, the messages I send out are not being encrypted, and I only know this because one of the email addresses I'm testing is a gmail address, and it shows the unlocked red lock icon, depicting an unencrypted message.

Here's some of the troubleshooting I've done:
  • Added PMG and Exchange servers to each other's certificates
  • Enabled and disabled Enable TLS
  • Added Exchange's public IP to trusted network (not sure this is safe, so I removed it)
  • And of course, restarting services on both servers
I'm stumped about what's gone wrong; prior to making PMG the outbound gateway, Exchange was sending encrypted messages directly to the internet, using the ACME-generated cert on that server.

Any help trying to figure out what I've done wrong, and details about potential fixes or options I might take to fix the problem.

Very much appreciated.
* Please share the logs of such an email - as well as the tls parts of your /etc/pmg/pmg.conf
* Do you have any modifications to the PMG (especially overrides of config templates - and there especially of the postfix config)?

As far as I can tell (after a very short search) the 'unlocked red lock' icon indeed refers to not having TLS when sending the mail (something that PMG enables with default config when clicking on enable TLS in the GUI).

I currently don't think that gmail would add this symbol just because the certificate is not trusted by a well-known CA (i.e. self-signed), but you can always use PMG's ACME implementation to get a certificate from Let's Encrypt.

I hope this helps!
Thanks for your reply. The important thing I needed to affirm was enabling TLS and renewing a cert using ACME. I did this already, but I was still not sending encrypted mail. I've re-configured it, rebooted the server and will try testing with a test message after 24 hours, just to see what happens next.
If that fails, I'll share my logs next.
Thanks for your quick response.
  • Like
Reactions: Stoiko Ivanov
Here's a question @Stoiko Ivanov : does the PMG certificate generated by lets encrypt need to be added to the Exchange server, and vice versa?
Really not sure as I don't have any experience with Exchange - but a few pointers:
* Let's Encrypt Certificates are trusted by all/most current Operating Systems and Browsers (their root-certificate is in the relevant truststores)
* For older versions (I'm talking > 5years) that might not be the case (which is why Let's encrypt had a cross-singed root from another CA, which has been around longer)
* In general for SMTP+STARTTLS in my experience the trustedness of certificates is not enforced per default (as the alternative would be to fall-back to plaintext communication)
* The Exchange logs should have a pointer that there is an issue with certificate trust
* the PMG logs of such a mail could also provide a pointer as to what is going wrong


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!