Re: [gentoo-user] STARTTLS verification problem

Eray Aslan Sat, 10 Apr 2010 08:33:38 -0700

On 10.04.2010 18:12, Robin Atwood wrote:
> That's very interesting, I have puzzled about STARTTLS stuff for years! How 
> do 
> I make sendmail trust the CAs?


This is neither necessary nor recommended for TLS.

> define(`CERT_DIR',`/etc/mail/certs')
> define(`confCACERT_PATH',`CERT_DIR')
> define(`confCACERT',`CERT_DIR/cacert.pem')
> define(`confSERVER_CERT',`CERT_DIR/cert.pem')
> define(`confSERVER_KEY',`CERT_DIR/key.pem')
> define(`confCLIENT_CERT',`CERT_DIR/cert.pem')
> define(`confCLIENT_KEY',`CERT_DIR/key.pem')

These 3 files (cacert.pem, cert.pem, key.pem) are for your own server.
It has been awhile since I used sendmail, but adding CA certificates to
CACERT_PATH should make sendmail trust them.

Again, this is contrary to "best practices".  Do not trust third party
CA certificates unnecessarily.  It might come back and bite you.

-- 
Eray

Re: [gentoo-user] STARTTLS verification problem

Reply via email to