diff --git a/SOURCES/sendmail-8.14.7-tls-use-certificate-chain-file.patch b/SOURCES/sendmail-8.14.7-tls-use-certificate-chain-file.patch
new file mode 100644
index 0000000..0dea379
--- /dev/null
+++ b/SOURCES/sendmail-8.14.7-tls-use-certificate-chain-file.patch
@@ -0,0 +1,70 @@
+diff --git a/sendmail/conf.c b/sendmail/conf.c
+index 777e05e..e693ed0 100644
+--- a/sendmail/conf.c
++++ b/sendmail/conf.c
+@@ -6504,6 +6504,14 @@ char *FFRCompileOptions[] =
+ /* More STARTTLS options, e.g., secondary certs. */
+ "_FFR_TLS_1",
+ #endif /* _FFR_TLS_1 */
++#if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE
++ /*
++ ** Use SSL_CTX_use_certificate_chain_file()
++ ** instead of SSL_CTX_use_certificate_file()
++ */
++
++ "_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE",
++#endif /* _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE */
+ #if _FFR_TRUSTED_QF
+ /*
+ ** If we don't own the file mark it as unsafe.
+diff --git a/sendmail/tls.c b/sendmail/tls.c
+index 72da987..6707a35 100644
+--- a/sendmail/tls.c
++++ b/sendmail/tls.c
+@@ -860,17 +860,25 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
+ if (bitset(TLS_I_USE_KEY, req))
+ return false;
+ }
++#if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE
++# define SSL_CTX_use_cert(ssl_ctx, certfile) \
++ SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile)
++# define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_chain_file"
++#else
++# define SSL_CTX_use_cert(ssl_ctx, certfile) \
++ SSL_CTX_use_certificate_file(ssl_ctx, certfile, SSL_FILETYPE_PEM)
++# define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_file"
++#endif
+
+ /* get the certificate file */
+ if (bitset(TLS_S_CERT_OK, status) &&
+- SSL_CTX_use_certificate_file(*ctx, certfile,
+- SSL_FILETYPE_PEM) <= 0)
++ SSL_CTX_use_cert(*ctx, certfile) <= 0)
+ {
+ if (LogLevel > 7)
+ {
+ sm_syslog(LOG_WARNING, NOQID,
+- "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
+- who, certfile);
++ "STARTTLS=%s, error: %s(%s) failed",
++ who, SSL_CTX_USE_CERT, certfile);
+ if (LogLevel > 9)
+ tlslogerr(LOG_WARNING, who);
+ }
+@@ -914,13 +922,13 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
+
+ /* get the certificate file */
+ if (bitset(TLS_S_CERT2_OK, status) &&
+- SSL_CTX_use_certificate_file(*ctx, cf2, SSL_FILETYPE_PEM) <= 0)
++ SSL_CTX_use_cert(*ctx, cf2) <= 0)
+ {
+ if (LogLevel > 7)
+ {
+ sm_syslog(LOG_WARNING, NOQID,
+- "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
+- who, cf2);
++ "STARTTLS=%s, error: %s(%s) failed",
++ who, SSL_CTX_USE_CERT, cf2);
+ if (LogLevel > 9)
+ tlslogerr(LOG_WARNING, who);
+ }
diff --git a/SPECS/sendmail.spec b/SPECS/sendmail.spec
index 0b2e194..04d7633 100644
--- a/SPECS/sendmail.spec
+++ b/SPECS/sendmail.spec
@@ -26,7 +26,7 @@
Summary: A widely used Mail Transport Agent (MTA)
Name: sendmail
Version: 8.14.7
-Release: 5%{?dist}
+Release: 6%{?dist}
License: Sendmail
Group: System Environment/Daemons
URL: http://www.sendmail.org/
@@ -112,6 +112,9 @@ Patch28: sendmail-8.14.7-tls11-12-config-options.patch
# have MX record pointing to the CNAME
# patch backported from upstream
Patch29: sendmail-8.14.7-ipv6-mx-cname-fix.patch
+# add support for SSL_CTX_use_certificate_chain_file(), #1596725
+# patch backported from upstream
+Patch30: sendmail-8.14.7-tls-use-certificate-chain-file.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: tcp_wrappers-devel
BuildRequires: libdb-devel
@@ -237,6 +240,7 @@ cp devtools/M4/UNIX/{,shared}library.m4
%patch27 -p1 -b .client-port
%patch28 -p1 -b .tls11-12-config-options
%patch29 -p1 -b .ipv6-mx-cname-fix
+%patch30 -p1 -b .tls-use-certificate-chain-file
for f in RELEASE_NOTES contrib/etrn.0; do
iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&
@@ -250,7 +254,7 @@ sed -i 's|/usr/local/bin/perl|%{_bindir}/perl|' contrib/*.pl
cat > redhat.config.m4 << EOF
define(\`confMAPDEF', \`-DNEWDB -DNIS -DHESIOD -DMAP_REGEX -DSOCKETMAP -DNAMED_BIND=1')
define(\`confOPTIMIZE', \`\`\`\`${RPM_OPT_FLAGS}'''')
-define(\`confENVDEF', \`-I%{_includedir}/libdb -I/usr/kerberos/include -Wall -DXDEBUG=0 -DTCPWRAPPERS -DNETINET6 -DHES_GETMAILHOST -DUSE_VENDOR_CF_PATH=1 -D_FFR_TLS_1 -D_FFR_LINUX_MHNL -D_FFR_QOS -D_FFR_TLS_EC')
+define(\`confENVDEF', \`-I%{_includedir}/libdb -I/usr/kerberos/include -Wall -DXDEBUG=0 -DTCPWRAPPERS -DNETINET6 -DHES_GETMAILHOST -DUSE_VENDOR_CF_PATH=1 -D_FFR_LINUX_MHNL -D_FFR_QOS')
define(\`confLIBDIRS', \`-L/usr/kerberos/%{_lib}')
define(\`confLIBS', \`-lnsl -lwrap -lhesiod -lcrypt -ldb -lresolv %{?relro:%{relro}}')
define(\`confMANOWN', \`root')
@@ -287,7 +291,7 @@ EOF
%if "%{with_tls}" == "yes"
cat >> redhat.config.m4 << EOF
-APPENDDEF(\`conf_sendmail_ENVDEF', \`-DSTARTTLS')dnl
+APPENDDEF(\`conf_sendmail_ENVDEF', \`-DSTARTTLS -D_FFR_TLS_1 -D_FFR_TLS_EC -D_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE')dnl
APPENDDEF(\`conf_sendmail_LIBS', \`-lssl -lcrypto')dnl
EOF
%endif
@@ -761,6 +765,11 @@ fi
%{_initrddir}/sendmail
%changelog
+* Thu Jul 25 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 8.14.7-6
+- Use SSL_CTX_use_certificate_chain_file() to handle intermediate
+ certificates passed additionally in confSERVER_CERT
+ Resolves: rhbz#1596725
+
* Thu Mar 23 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 8.14.7-5
- Explicitly enabled sm-client statistics
Resolves: rhbz#890585