https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253060
--- Comment #3 from Michael Osipov <michael.osi...@siemens.com> --- I have played around a bit what Leo has written. The patch cannot be applied as such. If /etc/ssl/cert.pem does not exist sendmail will say: > Jul 8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=client: file > /etc/ssl/cert.pem unsafe: No such file or directory > Jul 8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=client, error: load > verify locs /etc/ssl/certs, /etc/ssl/cert.pem failed: 0 > Jul 8 14:32:44 deblndw013x3j sm-mta[90513]: STARTTLS=client, > relay=mail2.siemens.de., version=TLSv1.2, verify=FAIL, > cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256 Even if /etc/ssl/certs will contain valid hashed links. Now if you consider to prepend a dnl because you don't have such a file it will fail also. The only valid options I see are * to leave confCACERT as-is and fix confCACERT_PATH only * tell sendmail not to verify any paths and leave it to OpenSSL which will do the right thing. With that you can drop confCACERT if it does not exist * apply libfetch's approach and set default's if neither is set: https://github.com/freebsd/freebsd-src/blob/373ffc62c158e52cde86a5b934ab4a51307f9f2e/lib/libfetch/common.c#L1105-L1109 So this does work for me now: > define(`confCACERT', `CERT_DIR/cacert.pem')dnl > define(`confCACERT_PATH', `/etc/ssl/certs')dnl output: > Jul 8 14:51:27 deblndw013x3j sm-mta[90897]: STARTTLS=client, > relay=mail3.siemens.de., version=TLSv1.2, verify=OK, > cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256 I prefer option 2 AND 3 -- You are receiving this mail because: You are the assignee for the bug.
