CACertFile
STARTTLS and stream encryption are discussed in detail in Section 10.10. Among the items you must provide is a file that contains the certificate of the authority that signed your local server (ServerCertFile) and client (ClientCertFile) certificates. This certificate of authority (CA) contains information (the distinguished name , or DN) that is sent to a connecting or connected-to site. The location of the CA certificate file is specified with this CACertFile option, using a declarations that looks like this: O CACertFile= path Here, path is a full path specification of the file containing the CA certificate. The path can contain sendmail macros, and if so, those macros will be expanded (their values used) when the configuration file, or command line, is read: define(`confCACERT', `${MyCERTPath}/CAcert.pem') The path must be a full pathname (must begin with a slash) and must also live in a directory that is safe (every component of which is writable only by root or the trusted user specified in the TrustedUser option) and must itself be safe (owned by and writable only by root or the trusted user specified in the TrustedUser option, TrustedUser). If it is not, it will be rejected and the following error logged: STARTTLS=server: file path unsafe: reason STARTTLS=client: file path unsafe: reason But, even if all goes well this far, there is still a chance that the SSL software will reject the certificate, and sendmail will log the following: STARTTLS=server, error: load verify locs dir, path failed: num STARTTLS=client, error: load verify locs dir, path failed: num Here, dir is the directory specified by the CACertPath option (CACertPath), and path is the file specified by this option. The num is the error number returned by the ssl (8) software. The CACertFile option is not safe. If specified from the command line, it can cause sendmail to relinquish its special privileges.  |
configuration file (V8.11 and later) -OCACertFile= 
EAN: 2147483647
Pages: 1174