[Bug 253060] sendmail submit is unable to verify certificate
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Jan 28 12:47:08 UTC 2021
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253060
Bug ID: 253060
Summary: sendmail submit is unable to verify certificate
Product: Base System
Version: 12.2-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: conf
Assignee: bugs at FreeBSD.org
Reporter: bicknell at ufp.org
If the user has configured SSL certificates for sendmail then when the sendmail
submit service connects to localhost and receives the certificate it will be
unable to verify that certificate. Specifically the user will find a log
message like this in their logs for every submitted e-mail:
STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=FAIL,
cipher=TLS_AES_256_GCM_SHA384, bits=256/256
The fix is to add the following two lines to /etc/mail/freebsd.submit.mc:
define(`confCACERT_PATH', `/etc/ssl/certs')dnl
define(`confCACERT', `/etc/ssl/cert.pem')dnl
Then, assuming the user has a real certificate configured, they will get a
message like this:
STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=OK,
cipher=TLS_AES_256_GCM_SHA384, bits=256/256
This does not change any mail delivery behavior, sendmail does not care if the
certificate is valid or not and does not alter behavior if it is or not. This
only changes logging, and would reduce admin confusion when an admin has
configured a server cert.
I believe this is safe to add to /etc/mail/freebsd.submit.mc for all users in
the base distribution.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list