home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Previous Section Next Section

CACertFile

File containing certificate authority certs V8.11 and later

STARTTLS and stream encryption are discussed in detail in Section 10.10. Among the items you must provide is a file that contains the certificate of the authority that signed your local server (ServerCertFile) and client (ClientCertFile) certificates. This certificate of authority (CA) contains information (the distinguished name, or DN) that is sent to a connecting or connected-to site. The location of the CA certificate file is specified with this CACertFile option, using a declarations that looks like this:

O CACertFile=path            configuration file (V8.11 and later) 
-OCACertFile=path            command line (V8.11 and later) 
define(`confCACERT',`path')  mc configuration (V8.11 and later 

Here, path is a full path specification of the file containing the CA certificate. The path can contain sendmail macros, and if so, those macros will be expanded (their values used) when the configuration file, or command line, is read:

define(`confCACERT', `${MyCERTPath}/CAcert.pem')

The path must be a full pathname (must begin with a slash) and must also live in a directory that is safe (every component of which is writable only by root or the trusted user specified in the TrustedUser option) and must itself be safe (owned by and writable only by root or the trusted user specified in the TrustedUser option, TrustedUser). If it is not, it will be rejected and the following error logged:

STARTTLS=server: file path unsafe: reason 
STARTTLS=client: file path unsafe: reason 

But, even if all goes well this far, there is still a chance that the SSL software will reject the certificate, and sendmail will log the following:

STARTTLS=server, error: load verify locs dir,  path  failed: num 
STARTTLS=client, error: load verify locs dir,  path  failed: num 

Here, dir is the directory specified by the CACertPath option (CACertPath), and path is the file specified by this option. The num is the error number returned by the ssl(8) software.

The CACertFile option is not safe. If specified from the command line, it can cause sendmail to relinquish its special privileges.

    Previous Section Next Section