451 4.7.5 Error: Remote Node SSL Certificate Not Signed by a Valid CA When Using Salesforce Email Relay

To resolve this SSL certificate error, you need to identify and fix the certificate chain issue on the MTA.
Step 1 — Check the Certificate Chain Online
If the MTA is accessible from the internet, use an online SSL checker tool to identify missing or expired intermediate certificates:

• SSL Shopper SSL Checker
• SSL Labs Server Test

Enter your MTA hostname in the tool. Look for any warnings about missing, expired, or untrusted intermediate certificates in the chain.
Step 2 — Check Internally Using OpenSSL
If external tools cannot reach the MTA, use OpenSSL from an internal server to inspect the certificate chain:
Run the following command, replacing the hostname and port with your MTA's details:
openssl s_client -showcerts -connect [your-mta-hostname]:443
Review the output for errors such as "unable to verify the first certificate" or "certificate has expired". These indicate a broken or incomplete certificate chain.
Step 3 — Resolve the Certificate Issue
Work with your email or IT team to take one of the following actions on the MTA:

• Install the missing intermediate certificate from your CA provider.
• Renew the expired SSL certificate.
• Rebuild the full certificate chain in the correct order (Root CA > Intermediate CA > Leaf Certificate).

Once the certificate chain is corrected on the MTA, Salesforce Email Relay connections using TLS Required or Required Verify should resume successfully.