Re: openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?

[Philip Guenther <guenther+ldapsoft@sendmail.com>]

Off-topic; my last post on this.

On Fri, 15 Aug 2008, Ben Wailea, openldap-software wrote:
> On Fri, Aug 15, 2008 at 9:07 PM, Emmanuel Dreyfus <manu@netbsd.org> wrote:
> > Not that some programs will not accept that: sendmail insiste on the ket
> > being mode 600, for instance. I had to copy the key in a second file.
> 
> yeah, i've found the same issue. pita, imho. exim, e.g., handles it
> nicely in that it allows def'n of separate exec & auth users/groups,
> so that thte app can run as 'exim', but use other own/perm certs.

In the late 90s, the sendmail mta took a bunch of criticism for permitting 
insecure configurations.  People didn't read the docs and then complained 
later.  So the sendmail developers made it check everything they could 
think of and refuse everything even slightly dangerous, and then added a 
config variable to permit the disabling of specific checks.  That variable 
is named "DontBlameSendmail", to remind people before they set it that 
they're taking things into their own hands and need to obtain their own 
surety.  So the modern result: people don't read the docs and then 
complain.  Plus ça change...


Philip Guenther