From owner-freebsd-questions@FreeBSD.ORG Tue Dec 8 18:02:41 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F184310656A3 for ; Tue, 8 Dec 2009 18:02:41 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout023.mac.com (asmtpout023.mac.com [17.148.16.98]) by mx1.freebsd.org (Postfix) with ESMTP id DF89A8FC24 for ; Tue, 8 Dec 2009 18:02:41 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=us-ascii Received: from cswiger1.apple.com ([17.227.140.124]) by asmtp023.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0KUC000Z7I444R10@asmtp023.mac.com> for questions@freebsd.org; Tue, 08 Dec 2009 10:02:29 -0800 (PST) From: Chuck Swiger In-reply-to: <19230.36867.142189.339269@jerusalem.litteratus.org> Date: Tue, 08 Dec 2009 10:02:27 -0800 Message-id: <93B37107-DFAA-4F65-A9D2-C2F988E6E7E6@mac.com> References: <19230.36867.142189.339269@jerusalem.litteratus.org> To: Robert Huff X-Mailer: Apple Mail (2.1077) Cc: questions@freebsd.org Subject: Re: semi-problem starting sendmail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2009 18:02:42 -0000 On Dec 8, 2009, at 9:42 AM, Robert Huff wrote: > STARTTLS=server, error: SSL_CTX_use_PrivateKey_file(/etc/mail/CA/private/cakey.pem) failed > > appears in the log. The file exists and has permissions 0600. > What am I probably looking at, and how do I find more specific information on the cause? Make sure none of the directories in that path have 022 perms (go+write). From the main sendmail README: "Sendmail often gets blamed for many problems that are actually the result of other problems, such as overly permissive modes on directories. For this reason, sendmail checks the modes on system directories and files to determine if they can be trusted. For sendmail to run without complaining, you MUST execute the following command: chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue You will probably have to tweak this for your environment (for example, some systems put the spool directory into /usr/spool instead of /var/spool). If you set the RunAsUser option in your sendmail.cf, the /var/spool/mqueue directory will have to be owned by the RunAsUser user. As a general rule, after you have compiled sendmail, run the command sendmail -v -bi to initialize the alias database. If it gives messages such as WARNING: writable directory /etc WARNING: writable directory /var/spool/mqueue then the directories listed have inappropriate write permissions and should be secured to avoid various possible security attacks." Regards, -- -Chuck