Re: [exim] tls_certificate weirdness

Top Page
Delete this message
Reply to this message
Author: Phillip Carroll
Date:  
To: exim-users
Subject: Re: [exim] tls_certificate weirdness
On 8/22/2016 3:57 AM, Heiko Schlittermann wrote:
> Directories 0777? Sounds dangerous. I think, Exim doesn't do extensive
> checks to ensure system security, but I'd remove the the group/world
> write bits from the directories.


You are correct, of course. The directory permissions are all actually
set to 755. I should have written that the paths are all world-readable.

> Try to use
>
>     sudo -iu <your exim user>

>


That resulted in: "This account is currently not available."

The help for sudo shows no option -iu on my system. What is that
supposed to do? The following command displays the pem:

sudo -u exim cat /path/to/cert.pem

I don't think the issue has to with the exim user per se. It appears
that some library function is asking for more permission than it needs.
(fopen ?) Apache has no problem because it reads the cert as root.

Changing the group of the current fullchain pem file to "mail" resolved
the issue with the cert. However, the error message then became:
(SSL_CTX_use_PrivateKey_file file=/path/to/privkey.pem):
error:0200100D:system library:fopen:Permission denied

Changing the group of the private key file to "mail" then resolved that
issue. However, that raises the question: Why must the private key be
readable by exim at all? I have always been under the impression that a
private key should ALWAYS be readable only by root.

I have now restored the group to "root" of the two files, and reverted
back to the exim-owned cert for STARTTLS usage so that the primary
private key of the site remains accessible only to root. That seems to
me the safest scheme.