From owner-freebsd-questions@FreeBSD.ORG  Wed Dec 29 19:07:12 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 184D816A4CE
	for <freebsd-questions@freebsd.org>;
	Wed, 29 Dec 2004 19:07:12 +0000 (GMT)
Received: from jericho.eigg.org.uk (jericho.eigg.org.uk [81.2.109.215])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 582CE43D3F
	for <freebsd-questions@freebsd.org>;
	Wed, 29 Dec 2004 19:07:11 +0000 (GMT)
	(envelope-from nick@wilson.org.uk)
Received: from [IPv6:2001:8b0:73:1:7c68:64f5:865a:c016]
	([IPv6:2001:8b0:73:1:7c68:64f5:865a:c016])
	by jericho.eigg.org.uk (8.13.1/8.13.1) with ESMTP id iBTJ78xM000932
	for <freebsd-questions@freebsd.org>; Wed, 29 Dec 2004 19:07:09 GMT
	(envelope-from nick@wilson.org.uk)
Message-ID: <41D30066.4020808@wilson.org.uk>
Date: Wed, 29 Dec 2004 19:07:18 +0000
From: Nick Wilson <nick@wilson.org.uk>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Sendmail TLS
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Dec 2004 19:07:12 -0000

I have tried to set up TLS for Sendmail, as described in chapter 14.9 of 
the handbook.  Having created the certificates in /etc/certs and 
modified the sendmail .mc file, I have the following problem:

With the myca.key file permissions set to readable by root only

-rwx------  1 root  wheel   736 Dec 29 17:11 myca.key

sendmail gives the message

Dec 29 18:57:01 jericho sm-mta[901]: STARTTLS=server, error: 
SSL_CTX_use_PrivateKey_file(/etc/certs/myca.key) failed

if I set the permissions to add group readable, I get

Dec 29 17:27:02 jericho sm-mta[659]: STARTTLS=server: file 
/etc/certs/myca.key unsafe: Group readable file

What owner, group and permissions should I set for myca.key?

Many thanks,

Nick