https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253060
Bug ID: 253060
Summary: sendmail submit is unable to verify certificate
Product: Base System
Version: 12.2-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: conf
Assignee: [email protected]
Reporter: [email protected]
If the user has configured SSL certificates for sendmail then when the sendmail
submit service connects to localhost and receives the certificate it will be
unable to verify that certificate. Specifically the user will find a log
message like this in their logs for every submitted e-mail:
STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=FAIL,
cipher=TLS_AES_256_GCM_SHA384, bits=256/256
The fix is to add the following two lines to /etc/mail/freebsd.submit.mc:
define(`confCACERT_PATH', `/etc/ssl/certs')dnl
define(`confCACERT', `/etc/ssl/cert.pem')dnl
Then, assuming the user has a real certificate configured, they will get a
message like this:
STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=OK,
cipher=TLS_AES_256_GCM_SHA384, bits=256/256
This does not change any mail delivery behavior, sendmail does not care if the
certificate is valid or not and does not alter behavior if it is or not. This
only changes logging, and would reduce admin confusion when an admin has
configured a server cert.
I believe this is safe to add to /etc/mail/freebsd.submit.mc for all users in
the base distribution.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
