On Tue, Jan 31, 2017 at 08:07:16AM -0700, russellbell@xxxxxxxxx wrote: > It was on the client side. I'm running sendmail as a client > to relay mail that originates on my computer through gmail. Gmail's SMTP server, correctly, does not suggest any preferred client CAs. > When I > request a certificate from gmail I get that message in the return > (along with a certificate). It may not matter. Not only does it not matter, it is expected and best practice. > When I send mail through gmail, sendmail reports > 'verify=FAIL'. I hoped to make that not happen. Completely unrelated to the preferred client CA list. Sendmail's TLS support is fairly anaemic, you should probably just ignore this. While it is possible to "verify" the certificate, that's pointless unless you also configure secure matching of the MX hostname against the certificate. Absent DNSSEC (which gmail does not currently support) you'd need to define custom policy for gmail that insists on their current MX hostnames or some fuzzy match thereof. This is much too much work. https://tools.ietf.org/html/rfc7672#section-1.3 For now, opportunistic unauthenticated TLS will do and is what what most SMTP email uses: https://tools.ietf.org/html/rfc7435#section-1.3 https://www.google.com/transparencyreport/saferemail/ > Quoth Mr Viktor Dukhovni: > > 'https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_client_CA_list.html > > That's the same as the man page I already have. > > 'Just pass a NULL stack.' > > Is there an app with which I can do this or do I have to write > a program? Not that I can't do that. None of this is applicable on the client side. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users