I'm having trouble getting our SMT server to work with the new proxy server (McAfee Web Gateway) which our education dept has installed. Unfortunately, there is no way for us to bypass the proxy to get to the net and the only access we have to the server is to block/unblock web sites. They have agreed to allow unauthenticated access from our server ip address range, however I still can't get SMT to work.

The proxy server uses a self signed CA certificate which I have saved in /etc/ssl/certs/ - when you access an SSL site, the proxy forwards it's own cert instead of the original, so you need it's CA on every host.
EG importing the CA cert into a web browser's CA cert list allows you to access https sites without being prompted to accept the certificates.

For some reason, just adding the CA cert to /etc/ssl/certs/ doesn't make curl work (this is just running curl directly, not via smt-ncc-sync). Instead, I have to use the --cacert option to specify the CA certificate. You can either add it to the command line or put it in /root/.curlrc. Still, that gets curl working.

Now back to smt-ncc-sync. This normally runs as the user smt, so I copied the working .curlrc file from /root to smt's homedir /var/lib/smt. Unfortunately, that doesn't work - curl completely ignores the .curlrc file when run from the smt binary. Same story runinng it from the command line as root or when it's run via cron as smt.

I've even gone to the extent of replacing curl with a shell script pointing to the 'real' curl:
/usr/bin/curl.bin --cacert /etc/ssl/certs/0823-MWG-CA.pem $@

(curl.bin is the "real" curl renamed)

Even doing that doesn't fix smt-ncc-sync, it still gives the same errors: Invalid response:500 CURL ERROR(60) Peer certificate cannot be authenticated with known CA certificates
That leads me to think that smt binaries must have curl embedded within them and set not to use ~/.curlrc

I've run out of ideas for getting around this problem, so hoping somebody here might have a suggestion.