Re: semi-problem starting sendmail
On Tue, 8 Dec 2009 18:25:43 -0500, Robert Huff wrote: > I just generated new keys using the method specified the the article > recommended by Giorgos, and I get the same result. Oops. I was hoping that would help, but it was only a wild guess by looking at the error message and the Google hits I could find for related threads. As Chuck wrote, the error is coming from the TLS support code. Can you try the openssl commands he mentioned? Date: Tue, 08 Dec 2009 23:33:07 +0200 From: Chuck Swiger Subject: Re: semi-problem starting sendmail Message-id: Well, the error is coming from /usr/src/contrib/sendmail/src/tls.c, and depends on openssl to deal with your cert. Does: openssl verify -verbose /etc/mail/CA/private/cakey.pem ...say anything interesting? What about: openssl x509 -in /etc/mail/CA/private/cakey.pem -text ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: semi-problem starting sendmail
I just generated new keys using the method specified the the article recommended by Giorgos, and I get the same result. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: semi-problem starting sendmail
Hi-- On Dec 8, 2009, at 1:10 PM, Robert Huff wrote: >> Make sure none of the directories in that path have 022 perms >> (go+write). > > Checked, and not the problem. Well, the error is coming from /usr/src/contrib/sendmail/src/tls.c, and depends on openssl to deal with your cert. Does: openssl verify -verbose /etc/mail/CA/private/cakey.pem ...say anything interesting? What about: openssl x509 -in /etc/mail/CA/private/cakey.pem -text Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: semi-problem starting sendmail
On Tue, 8 Dec 2009 12:42:27 -0500, Robert Huff wrote: > When I start sendmail, this: > > STARTTLS=server, error: > SSL_CTX_use_PrivateKey_file(/etc/mail/CA/private/cakey.pem) failed > > appears in the log. The file exists and has permissions 0600. What > am I probably looking at, and how do I find more specific information > on the cause? Hi Robert, This article from Linux Journal may help a bit: http://www.linuxjournal.com/article/4823 It mentions generating the certificate with the -nodes option to avoid an error exactly like the one you are quoting. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: semi-problem starting sendmail
Chuck Swiger writes: > > STARTTLS=server, error: > SSL_CTX_use_PrivateKey_file(/etc/mail/CA/private/cakey.pem) failed > > > >appears in the log. The file exists and has permissions 0600. > >What am I probably looking at, and how do I find more specific > information on the cause? > > Make sure none of the directories in that path have 022 perms > (go+write). Checked, and not the problem. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: semi-problem starting sendmail
On Dec 8, 2009, at 9:42 AM, Robert Huff wrote: > STARTTLS=server, error: > SSL_CTX_use_PrivateKey_file(/etc/mail/CA/private/cakey.pem) failed > > appears in the log. The file exists and has permissions 0600. > What am I probably looking at, and how do I find more specific > information on the cause? Make sure none of the directories in that path have 022 perms (go+write). From the main sendmail README: "Sendmail often gets blamed for many problems that are actually the result of other problems, such as overly permissive modes on directories. For this reason, sendmail checks the modes on system directories and files to determine if they can be trusted. For sendmail to run without complaining, you MUST execute the following command: chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue You will probably have to tweak this for your environment (for example, some systems put the spool directory into /usr/spool instead of /var/spool). If you set the RunAsUser option in your sendmail.cf, the /var/spool/mqueue directory will have to be owned by the RunAsUser user. As a general rule, after you have compiled sendmail, run the command sendmail -v -bi to initialize the alias database. If it gives messages such as WARNING: writable directory /etc WARNING: writable directory /var/spool/mqueue then the directories listed have inappropriate write permissions and should be secured to avoid various possible security attacks." Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
semi-problem starting sendmail
When I start sendmail, this: STARTTLS=server, error: SSL_CTX_use_PrivateKey_file(/etc/mail/CA/private/cakey.pem) failed appears in the log. The file exists and has permissions 0600. What am I probably looking at, and how do I find more specific information on the cause? Respectfully, Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"