Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 08 Dec 2009 10:02:27 -0800
From:      Chuck Swiger <cswiger@mac.com>
To:        Robert Huff <roberthuff@rcn.com>
Cc:        questions@freebsd.org
Subject:   Re: semi-problem starting sendmail
Message-ID:  <93B37107-DFAA-4F65-A9D2-C2F988E6E7E6@mac.com>
In-Reply-To: <19230.36867.142189.339269@jerusalem.litteratus.org>
References:  <19230.36867.142189.339269@jerusalem.litteratus.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Dec 8, 2009, at 9:42 AM, Robert Huff wrote:
> STARTTLS=server, error: SSL_CTX_use_PrivateKey_file(/etc/mail/CA/private/cakey.pem) failed
> 
> 	appears in the log.  The file exists and has permissions 0600.
> 	What am I probably looking at, and how do I find more specific information on the cause?

Make sure none of the directories in that path have 022 perms (go+write).  From the main sendmail README:

"Sendmail often gets blamed for many problems that are actually the
result of other problems, such as overly permissive modes on directories.
For this reason, sendmail checks the modes on system directories and
files to determine if they can be trusted.  For sendmail to run without
complaining, you MUST execute the following command:

        chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue
        chown root / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue

You will probably have to tweak this for your environment (for example,
some systems put the spool directory into /usr/spool instead of
/var/spool).  If you set the RunAsUser option in your sendmail.cf, the
/var/spool/mqueue directory will have to be owned by the RunAsUser user.
As a general rule, after you have compiled sendmail, run the command

        sendmail -v -bi

to initialize the alias database.  If it gives messages such as

        WARNING: writable directory /etc
        WARNING: writable directory /var/spool/mqueue

then the directories listed have inappropriate write permissions and
should be secured to avoid various possible security attacks."

Regards,
-- 
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?93B37107-DFAA-4F65-A9D2-C2F988E6E7E6>