Hi Michael, making the key group-readable seems to have done the trick. Maybe its me, but I didn't expect that. I learned that the key file should be readable by as few accounts as possible. Thanx for the hint. The problem is,though, sendmail doesn't tell.
I started to think that maybe adding something to /usr/share/sendmail/update_mk which creates /etc/mail/Makefile to do this chown/chmod of /etc/mail/private and the keys/certs in there. But I don’t have /etc/mail/private on my Debian install, and don’t see it in any of the packages, did I miss something?
Path to key and certificate file can be defined in starttls.m4. Owner and group of the key file are hardwired somewhere, AFAICT. Regards Harri