1 |
On Saturday 10 April 2010, Eray Aslan wrote: |
2 |
> On 10.04.2010 11:08, Mick wrote: |
3 |
> > Apr 9 21:45:47 my_box sendmail[4013]: STARTTLS=client, |
4 |
> > relay=smtp.comcast.net, version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA- |
5 |
> > AES256-SHA, bits=256/256 |
6 |
> > |
7 |
> > Any idea why this is happening? |
8 |
> |
9 |
> Nothing to worry about. It just means you do not trust the certificate |
10 |
> issuer for smtp.comcast.net. For smtp delivery, this is perfectly fine. |
11 |
> See below: |
12 |
> |
13 |
> $ openssl s_client -connect smtp.comcast.net:25 -starttls smtp |
14 |
> [...] |
15 |
> SSL-Session: |
16 |
> [...] |
17 |
> Verify return code: 20 (unable to get local issuer certificate) |
18 |
> |
19 |
> versus when I tell it to trust some CAs (including verisign) on the |
20 |
> local machine: |
21 |
> |
22 |
> openssl s_client -connect smtp.comcast.net:25 -starttls smtp -CApath |
23 |
> /etc/ssl/certs/ |
24 |
> [...] |
25 |
> SSL-Session: |
26 |
> [...] |
27 |
> Verify return code: 0 (ok) |
28 |
|
29 |
That's very interesting, I have puzzled about STARTTLS stuff for years! How do |
30 |
I make sendmail trust the CAs? At the moment my sendmail.mc looks like: |
31 |
|
32 |
define(`CERT_DIR',`/etc/mail/certs') |
33 |
define(`confCACERT_PATH',`CERT_DIR') |
34 |
define(`confCACERT',`CERT_DIR/cacert.pem') |
35 |
define(`confSERVER_CERT',`CERT_DIR/cert.pem') |
36 |
define(`confSERVER_KEY',`CERT_DIR/key.pem') |
37 |
define(`confCLIENT_CERT',`CERT_DIR/cert.pem') |
38 |
define(`confCLIENT_KEY',`CERT_DIR/key.pem') |
39 |
|
40 |
where I made the certs with the TinyCA package. |
41 |
|
42 |
TIA |
43 |
-Robin |
44 |
-- |
45 |
---------------------------------------------------------------------- |
46 |
Robin Atwood. |
47 |
|
48 |
"Ship me somewheres east of Suez, where the best is like the worst, |
49 |
Where there ain't no Ten Commandments an' a man can raise a thirst" |
50 |
from "Mandalay" by Rudyard Kipling |
51 |
---------------------------------------------------------------------- |