STARTTLS and stream encryption are discussed in detail in Section 10.10. Among the items you must provide is a
directory that contains the certificate of the authority for the
server (ServerCertFile) and client (ClientCertFile), as well as other certificates of authority
you wish to trust. This directory contains both the certificates of
authority and hashes of those certificates (more about this soon).
The location of the CA certificate directory is specified with this
CACertPath option, with declarations that look
O CACertPath=dir ← configuration file (V8.12 and later) -OCACertPath=dir ← command line (V8.12 and later) define(`confCACERT_PATH',`dir')← mc configuration (V8.12 and later
dir is a full path specification of
the directory containing the CA certificate files and their hashes.
dir can contain
sendmail macros, and if so, those macros will be
expanded (their values used) when the configuration file, or command
line, is read:
dir must be a full pathname (must
begin with a slash), or the directory will be rejected and the
following error logged:
STARTTLS=server: file dir unsafe: reason STARTTLS=client: file dir unsafe: reason
dir is the directory specified by
CACertPath option (CACertPath), and
path is the file
specified by this option. The num is the error
number returned by the ssl(8) software.
dir must contain the hashes of each certificate of authority, where each ...