On Saturday 10 April 2010, Eray Aslan wrote:
> On 10.04.2010 11:08, Mick wrote:
> > Apr 9 21:45:47 my_box sendmail[4013]: STARTTLS=client,
> > relay=smtp.comcast.net, version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-
> > AES256-SHA, bits=256/256
> >
> > Any idea why this is happening?
>
> Nothing to worry about. It just means you do not trust the certificate
> issuer for smtp.comcast.net. For smtp delivery, this is perfectly fine.
> See below:
>
> $ openssl s_client -connect smtp.comcast.net:25 -starttls smtp
> [...]
> SSL-Session:
> [...]
> Verify return code: 20 (unable to get local issuer certificate)
>
> versus when I tell it to trust some CAs (including verisign) on the
> local machine:
>
> openssl s_client -connect smtp.comcast.net:25 -starttls smtp -CApath
> /etc/ssl/certs/
> [...]
> SSL-Session:
> [...]
> Verify return code: 0 (ok)
That's very interesting, I have puzzled about STARTTLS stuff for years! How do
I make sendmail trust the CAs? At the moment my sendmail.mc looks like:
define(`CERT_DIR',`/etc/mail/certs')
define(`confCACERT_PATH',`CERT_DIR')
define(`confCACERT',`CERT_DIR/cacert.pem')
define(`confSERVER_CERT',`CERT_DIR/cert.pem')
define(`confSERVER_KEY',`CERT_DIR/key.pem')
define(`confCLIENT_CERT',`CERT_DIR/cert.pem')
define(`confCLIENT_KEY',`CERT_DIR/key.pem')
where I made the certs with the TinyCA package.
TIA
-Robin
--
----------------------------------------------------------------------
Robin Atwood.
"Ship me somewheres east of Suez, where the best is like the worst,
Where there ain't no Ten Commandments an' a man can raise a thirst"
from "Mandalay" by Rudyard Kipling
----------------------------------------------------------------------
