STARTTLS and stream encryption are discussed in detail in Section 10.10. Among the items you must provide is a file that contains the certificate of the authority that signed your local server (ServerCertFile) and client (ClientCertFile) certificates. This certificate of authority (CA) contains information (the distinguished name, or DN) that is sent to a connecting or connected-to site. The location of the CA certificate file is specified with this CACertFile option, using a declarations that looks like this:

O CACertFile=path            configuration file (V8.11 and later) 
-OCACertFile=path            command line (V8.11 and later) 
define(`confCACERT',`path') mc configuration (V8.11 and later 

Here, path is a full path specification of the file containing the CA certificate. The path can contain sendmail macros, and if so, those macros will be expanded (their values used) when the configuration file, or command line, is read:

define(`confCACERT', `${MyCERTPath}/CAcert.pem')

The path must be a full pathname (must begin with a slash) and must also live in a directory that is safe (every component of which is writable only by root or the trusted user specified in the TrustedUser option) and must itself be safe (owned by and writable only by root or the trusted user specified in the TrustedUser option, TrustedUser). If it is not, it will be rejected and the following error logged:

STARTTLS=server: file path unsafe: reason 
STARTTLS=client: file path unsafe: reason

But, even if ...

Get Sendmail, 3rd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.