Date: Thu, 28 Jan 2021 12:47:08 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 253060] sendmail submit is unable to verify certificate Message-ID: <bug-253060-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253060 Bug ID: 253060 Summary: sendmail submit is unable to verify certificate Product: Base System Version: 12.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: conf Assignee: bugs@FreeBSD.org Reporter: bicknell@ufp.org If the user has configured SSL certificates for sendmail then when the sendmail submit service connects to localhost and receives the certificate it will be unable to verify that certificate. Specifically the user will find a log message like this in their logs for every submitted e-mail: STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256 The fix is to add the following two lines to /etc/mail/freebsd.submit.mc: define(`confCACERT_PATH', `/etc/ssl/certs')dnl define(`confCACERT', `/etc/ssl/cert.pem')dnl Then, assuming the user has a real certificate configured, they will get a message like this: STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=OK, cipher=TLS_AES_256_GCM_SHA384, bits=256/256 This does not change any mail delivery behavior, sendmail does not care if the certificate is valid or not and does not alter behavior if it is or not. This only changes logging, and would reduce admin confusion when an admin has configured a server cert. I believe this is safe to add to /etc/mail/freebsd.submit.mc for all users in the base distribution. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-253060-227>