STARTTLS and stream encryption are discussed in detail in Section 10.10. Among the items you must provide is a file
that contains the certificate of the authority that signed your local
server (ServerCertFile) and client (ClientCertFile) certificates. This certificate of authority
(CA) contains information (the distinguished name, or DN) that is
sent to a connecting or connected-to site. The location of the CA
certificate file is specified with this CACertFile
option, using a declarations that looks like this:
O CACertFile=path 
configuration file (V8.11 and later)
-OCACertFile=path command line (V8.11 and later)
define(`confCACERT',`path') mc configuration (V8.11 and later
Here, path is a full path specification of
the file containing the CA certificate. The
path can contain
sendmail macros, and if so, those macros will be
expanded (their values used) when the configuration file, or command
line, is read:
define(`confCACERT', `${MyCERTPath}/CAcert.pem')
The path must be a full pathname (must
begin with a slash) and must also live in a directory that is safe
(every component of which is writable only by
root or the trusted user specified in the
TrustedUser option) and must itself be safe (owned
by and writable only by root or the trusted user
specified in the TrustedUser option, TrustedUser). If it is not, it will be rejected and the
following error logged:
STARTTLS=server: file path unsafe: reason
STARTTLS=client: file path unsafe: reason
But, even if all goes well this far, there is still a chance that the
SSL software will reject the certificate, and
sendmail will log the following:
STARTTLS=server, error: load verify locs dir, path failed: num
STARTTLS=client, error: load verify locs dir, path failed: num
Here, dir is the directory specified by
the CACertPath option (CACertPath), and path is the file
specified by this option. The num is the error
number returned by the ssl(8) software.
The CACertFile option is not safe. If specified
from the command line, it can cause sendmail to
relinquish its special privileges.
