Off-topic; my last post on this.
On Fri, 15 Aug 2008, Ben Wailea, openldap-software wrote:
On Fri, Aug 15, 2008 at 9:07 PM, Emmanuel Dreyfus manu@netbsd.org wrote:
Not that some programs will not accept that: sendmail insiste on the ket being mode 600, for instance. I had to copy the key in a second file.
yeah, i've found the same issue. pita, imho. exim, e.g., handles it nicely in that it allows def'n of separate exec & auth users/groups, so that thte app can run as 'exim', but use other own/perm certs.
In the late 90s, the sendmail mta took a bunch of criticism for permitting insecure configurations. People didn't read the docs and then complained later. So the sendmail developers made it check everything they could think of and refuse everything even slightly dangerous, and then added a config variable to permit the disabling of specific checks. That variable is named "DontBlameSendmail", to remind people before they set it that they're taking things into their own hands and need to obtain their own surety. So the modern result: people don't read the docs and then complain. Plus ça change...
Philip Guenther