CentOS - Apr 2010 - Getting Domainkeys, dkim, and SMTP-AUTH/TLS to play nicely together in sendmail

A while back I struggled to get Domainkeys and DKIM to work properly on
my little home server.  While I'm sure they weren't necessary in a
strict sense, it not only enabled me to learn about the technology but
allowed for more of a verification of the email coming from my server.

And so this week I figured: "Hey, this has been working without a
problem for a while; it must be time to screw with something else."
Hence my effort to enable SMTP submissions over port 587.  At the very
least, with some ISPs blocking traffic to port 25, this seemed to be a
good idea (as well as providing a better method for sending email using
my server from outside my home LAN).

I've read a number of write-ups of SMTP AUTH, including the information
at sendmail.org.  I've run into a snag, however, with the .pem
certificate that is used for the DK stuff.  The conventional wisdom
seems to be to run domainkeys/dkim as a user other than root, and a .pem
certificate is required.  Therefore, to get this to run properly, the
permissions on the certificate need to me 600 or 400, owned by this user.

All well and good so far, except that STARTTLS doesn't like this:

	STARTTLS=server: file /var/db/domainkeys/mail.key.pem unsafe:
permission denied

When I telnet to the server, port 587, and issue an EHLO, I see neither
AUTH nor TLS in the response.

The sendmail.mc file contains the line:

	define(`localCERT',`/ver/db/domainkeys/mail.key.pem')dnl

So if there's a different line I can add to indicate to TLS/AUTH that it
should use a different cert (or, rather, the same one copied to a
different location with different permissions...) I don't know it.

Anyone ever run into this before?

 -Don Levey