Re: [exim] Uid used to access TLS-certificates

Top Page
Delete this message
Reply to this message
Author: Bill Hacker
Date:  
CC: exim-users
Subject: Re: [exim] Uid used to access TLS-certificates
Tony Finch wrote:

> On Fri, 11 Feb 2005, Timo Neuvonen wrote:
>
>>Now user 'exim' seems to be used to read the certificate files.
>>Is there any way to make exim to read the certificates as root? Exim
>>executable is setuid to root, so it should be possible, I think.
>
>
> No: Exim doesn't read the certificate until the last possible moment, at
> which point it has thrown away all privilege. You can restrict readability
> of the certificate to the Exim user to hide it from other users.
>
> (It would probably be safer if Exim had an option to load the certificate
> at startup, and prompt for any passphrase; the cert would then be secure
> against compromise of the exim user.)
>
> Tony.


Hmmm.....

'What if'...

- The path to the cert was an SQL call (cert being stored in the DB)

AND

- the connecting IP was passed as part of the "SELECT ...."

Might that not provide both a means of storing an already unlocked cert
(somewhat) more securely

AND

- providing the cert that matched the domain the IP was assigned to in
multi hosting environments?

Bill Hacker