il/sendmail.mc
#####		   \`include(\`/etc/mail/tls/starttls.m4\')dnl\'
#####		B) *MAY* Add the same line to /etc/mail/submit.mc
#####		   to get MSP<->MTA authentication/encryption
#####	2) You may modify the marked portions of this file, those
#####	   deal with the cert/key filenames and TLS options.
#####	   If you need finer control of TLS options, use the access
#####	   database.
#####
####################################################################
divert(0)dnl
VERSIONID(\`\$Id: starttls.m4,v 8.15.2-18 2020-03-08 00:39:49 cowboy Exp \$\')
dnl #
dnl #---------------------------------------------------------------------
dnl # Bring in Autoconf results
dnl #---------------------------------------------------------------------
ifdef(\`sm_version\', \`dnl\',
\`include(\`/usr/share/sendmail/cf/debian/autoconf.m4\')dnl\')
dnl #
dnl # Check to see if inclusion is valid (version >= 8.11.0, tls enabled)
ifelse(eval(sm_version_math >= 527104), \`1\', \`dnl
ifelse(sm_enable_tls, \`yes\', \`dnl
dnl #
dnl # To support shared keyfiles, we need them to be group readable
dnl #
define(\`confDONT_BLAME_SENDMAIL\',dnl
	defn(\`confDONT_BLAME_SENDMAIL\')\`,GroupReadableKeyFile\')dnl
dnl #
dnl #             ...Do not touch anything above this line...
dnl #
dnl # Set a more reasonable timeout on negotiation
dnl #
define(\`confTO_STARTTLS\',     \`$Def_Map{'confTO_STARTTLS'}\')dnl   # <= EDIT
dnl #
dnl # CA directory - CA certs should be herein
define(\`confCACERT_PATH\',     \`$Def_Map{'confCACERT_PATH'}\')dnl   # <= EDIT
dnl #
dnl # CA file (may be the same as client/server certificate)
define(\`confCACERT\',           \`$Def_Map{'confCACERT'}\')dnl   # <= EDIT
dnl #
dnl # Certificate Revocation List
define(\`confCRL\',              \`$Def_Map{'confCRL'}\')dnl   # <= EDIT
EOT
if (! -f $Def_Map{'confCRL'}) {
print $ofh <<"EOT";
dnl # CRL not found...  do not issue warnings on it!
undefine(\`confCRL\')dnl
EOT
	};
	print $ofh <<"EOT";
dnl #
dnl # Server certificate/key (can be in the same file, and shared w/client)
dnl # NOTE: The key must *NOT* be encrypted !!!
define(\`confSERVER_CERT\',     \`$Def_Map{'confSERVER_CERT'}\')dnl   # <= EDIT
define(\`confSERVER_KEY\',      \`$Def_Map{'confSERVER_KEY'}\')dnl   # <= EDIT
dnl #
dnl # Client certificate/key (can be in the same file, and shared w/server)
dnl # NOTE: The key must *NOT* be encrypted !!!
define(\`confCLIENT_CERT\',     \`$Def_Map{'confCLIENT_CERT'}\')dnl   # <= EDIT
define(\`confCLIENT_KEY\',      \`$Def_Map{'confCLIENT_KEY'}\')dnl   # <= EDIT
dnl #
dnl # DH parameters
define(\`confDH_PARAMETERS\',   \`$Def_Map{'confDH_PARAMETERS'}\')dnl # <= EDIT
dnl #
dnl # Optional settings
define(\`confTLS_SRV_OPTIONS\', \`$Def_Map{'confTLS_SRV_OPTIONS'}\')dnl   # <= EDIT
dnl #
\')\')dnl
EOT
	};