On 23/08/16 20:03, Phillip Carroll wrote: > The
> fact that "tls_privatekey" must be readable by exim I presume is for
> using STARTTLS for sending messages, although the TLS error message
> about the "tls_privatekey" path occurred on a received message. (I
> questioned the need for access to the private key to receive a message,
> not considering usage in the other direction.)
The Exim code telling the OpenSSL library about the private-key is in
a routine common to both server and client initialisation.
It's a fair point; we might consider making it direction-aware to
reduce the attack surface (even though most installations will be
doing both directions).
--
Cheers,
Jeremy
