Re: [exim] Symlinks in cert / keyfile

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: basti
CC: exim-users
Subject: Re: [exim] Symlinks in cert / keyfile
On 2017-05-26 at 23:53 +0200, basti wrote:
> as I can see Exim won't use certificates when the path is a link.


Yes it will. I use symlinks. That's not what's happening here.

> /etc/letsencrypt/live/mail.example.com# ls -la
> insgesamt 12
> drwxr-xr-x 2 root root 4096 Mai 26 17:24 .
> drwx------ 4 root root 4096 Mai 26 17:17 ..
> lrwxrwxrwx 1 root root 42 Mai 26 17:24 cert.pem ->
> ../../archive/mail.example.com/cert2.pem


Exim is not running as root when the connection is received. It's
running as the Exim Runtime User, which might be `exim`, `exim4`,
`_exim`, `mailnull` or something else, depending upon your system.

Because the values of the paths are subject to string expansion, they
can't be pre-loaded while root. The key and cert need to be readable by
the Exim runtime user, using the path as given.

So you have `/etc/letsencrypt/live` permission 0700 (according to the
`..` line above) and a cert in
`/etc/letsencrypt/archive/mail.example.com/cert2.pem` which is readable
to the runtime user, but the runtime user can't figure out where
`../../` is because the OS, when given that path, is returning errors.

Run:

chmod 0711 /etc/letsencrypt/live

That will give "lookup" permission on the directory, to resolve a fixed
name, without needing to be able to enumerate the directory contents, to
every user.

-Phil