If you want to run your sendmail config with TLS enabled, here are some configration options you can add to your sendmail.mc file:
| Option | Description |
| define(`confCACERT', `path/to/file.ca') | set the CA file |
| define(`confCACERT_PATH', `path/to/certs') | path to the certificate folder |
| define(`confCLIENT_CERT', `path/to/file.crt') | set the certificate used when sendmail connects to another host |
| define(`confCLIENT_KEY', `path/to/file.key') | set the certificate key file used when sendmail connects to another host |
| define(`confSERVER_CERT', `path/to/file.crt') | set the certificate used when someone connects to sendmail |
| define(`confSERVER_KEY', `path/to/file.key') | set the certificate key file used when someone connects to sendmail |
| define(`confCRL', `path/to/file.crl') | set file containing Cerificate Revocation List |
| define(`confTO_STARTTLS', `1h') | set the time out for the STARTTLS command (default: 1h) |
| define(`confDH_PARAMETERS', `path/to/file.dh') | set the file containing Diffie-Hellmann (DH) parameters |
| define(`confTLS_SVR_OPTIONS', `V') | set TLS options (argument V disables certificate verification) |
if all parameters you want have been added, simple recompile the sendmail.cf with following command:
# m4 sendmail.mc > sendmail.cf
and restart your sendmail service.
Note on GMX and WEB.DE servers:
the DH parameter is needed if these clients refuse to connect an deliver email or see similar errors in your log:
STARTTLS=server, error: accept failed=0, SSL_error=1, errno=0, retry=-1
STARTTLS=server: 11964:error:1409442F:SSL routines:SSL3_READ_BYTES:tlsv1 alert insufficient security:s3_pkt.c:1092:SSL alert number 71