Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Robin Atwood <robin.atwood@×××××××××.net>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] STARTTLS verification problem
Date: Sat, 10 Apr 2010 15:13:30
Message-Id: 201004102212.21239.robin.atwood@attglobal.net
In Reply to: Re: [gentoo-user] STARTTLS verification problem by Eray Aslan
1 On Saturday 10 April 2010, Eray Aslan wrote:
2 > On 10.04.2010 11:08, Mick wrote:
3 > > Apr 9 21:45:47 my_box sendmail[4013]: STARTTLS=client,
4 > > relay=smtp.comcast.net, version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-
5 > > AES256-SHA, bits=256/256
6 > >
7 > > Any idea why this is happening?
8 >
9 > Nothing to worry about. It just means you do not trust the certificate
10 > issuer for smtp.comcast.net. For smtp delivery, this is perfectly fine.
11 > See below:
12 >
13 > $ openssl s_client -connect smtp.comcast.net:25 -starttls smtp
14 > [...]
15 > SSL-Session:
16 > [...]
17 > Verify return code: 20 (unable to get local issuer certificate)
18 >
19 > versus when I tell it to trust some CAs (including verisign) on the
20 > local machine:
21 >
22 > openssl s_client -connect smtp.comcast.net:25 -starttls smtp -CApath
23 > /etc/ssl/certs/
24 > [...]
25 > SSL-Session:
26 > [...]
27 > Verify return code: 0 (ok)
28
29 That's very interesting, I have puzzled about STARTTLS stuff for years! How do
30 I make sendmail trust the CAs? At the moment my sendmail.mc looks like:
31
32 define(`CERT_DIR',`/etc/mail/certs')
33 define(`confCACERT_PATH',`CERT_DIR')
34 define(`confCACERT',`CERT_DIR/cacert.pem')
35 define(`confSERVER_CERT',`CERT_DIR/cert.pem')
36 define(`confSERVER_KEY',`CERT_DIR/key.pem')
37 define(`confCLIENT_CERT',`CERT_DIR/cert.pem')
38 define(`confCLIENT_KEY',`CERT_DIR/key.pem')
39
40 where I made the certs with the TinyCA package.
41
42 TIA
43 -Robin
44 --
45 ----------------------------------------------------------------------
46 Robin Atwood.
47
48 "Ship me somewheres east of Suez, where the best is like the worst,
49 Where there ain't no Ten Commandments an' a man can raise a thirst"
50 from "Mandalay" by Rudyard Kipling
51 ----------------------------------------------------------------------

Replies

Subject Author
Re: [gentoo-user] STARTTLS verification problem Eray Aslan <eray.aslan@×××××××.tr>
Report Message
Find on MARC Find on Google Groups