On Saturday 10 April 2010 16:32:37 Eray Aslan wrote: > On 10.04.2010 18:12, Robin Atwood wrote: > > That's very interesting, I have puzzled about STARTTLS stuff for years! > > How do I make sendmail trust the CAs? > > This is neither necessary nor recommended for TLS.
Why would that be? > > define(`CERT_DIR',`/etc/mail/certs') > > define(`confCACERT_PATH',`CERT_DIR') > > define(`confCACERT',`CERT_DIR/cacert.pem') > > define(`confSERVER_CERT',`CERT_DIR/cert.pem') > > define(`confSERVER_KEY',`CERT_DIR/key.pem') > > define(`confCLIENT_CERT',`CERT_DIR/cert.pem') > > define(`confCLIENT_KEY',`CERT_DIR/key.pem') > > These 3 files (cacert.pem, cert.pem, key.pem) are for your own server. > It has been awhile since I used sendmail, but adding CA certificates to > CACERT_PATH should make sendmail trust them. > > Again, this is contrary to "best practices". Do not trust third party > CA certificates unnecessarily. It might come back and bite you. Can you please explain this? -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
