Re: [exim] Exim SSL/TLS certificate key file permissions/pas…

Top Page
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: exim-users
Subject: Re: [exim] Exim SSL/TLS certificate key file permissions/password?
* on the Tue, Sep 10, 2013 at 01:18:42AM +0100, Adam Spragg wrote:

> Apache and Dovecot manage this by reading the file on startup, before dropping
> privileges and changing to their "normal" uid, and asking for the password on
> the console. Is Exim not able to work this way as well?


At startup time, Exim has no way of knowing which certificates it will be using
during its lifetime.

Example:

tls_certificate = ${if eq{$received_ip_address}{127.0.0.1}{foo}{bar}}.crt

Perhaps it could be made to read certs at startup time when a path is provided
rather than an expandable string, but I imagine that would involve some serious
code refactoring and would have to remain backwards compatible with the existing
situation.

> I'm not happy having an unprotected private key lying about anywhere, even if
> its permissions were 0400 - let alone 0440 as Exim requires.
>
> If Exim isn't able to do this, does anyone know if there are any plans for it
> in the future?


I doubt it will happen, unless you find somebody who both wants that change and
is also capable of writing the code themselves. I've never heard anyone else
request this feature. You should probably add it to the wish list on bugzilla
at least.

-- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4