Author: Adam Spragg Date: To: Exim-users Subject: Re: [exim] Exim SSL/TLS certificate key file permissions/password?
Hi,
On 2013-09-10 10:50, Mike Cardwell wrote: > * on the Tue, Sep 10, 2013 at 01:18:42AM +0100, Adam Spragg wrote:
>
> > Apache and Dovecot manage this by reading the file on startup, before
> > dropping
> > privileges and changing to their "normal" uid, and asking for the password
> > on
> > the console. Is Exim not able to work this way as well?
>
> At startup time, Exim has no way of knowing which certificates it will be
> using
> during its lifetime.
>
> Example:
>
> tls_certificate = ${if eq{$received_ip_address}{127.0.0.1}{foo}{bar}}.crt
Ah, great point. That does make sense now. I'm still getting my head around
just how configurable Exim is, and this helps. So, thanks.
> I doubt it will happen, unless you find somebody who both wants that change
> and
> is also capable of writing the code themselves. I've never heard anyone else
> request this feature.
Right. I did check the FAQ and archives, and I couldn't find any examples of
anyone else asking this. Having administered a few Apache instances before, as
well as working as being an end-user of some other public-key crypto
applications, I'm very used to the "always keep your private keys password-
protected" mindset. The fact that I couldn't find a config option or any
previous discussion of this was surprising to me.
> You should probably add it to the wish list on
> bugzilla
> at least.
