Author: Patrick Pfeifer Date: To: exim-users CC: exim-dev Subject: [exim] tls_privatekey mode 644 / root owned -- why is it read only
after privileges have been droppped ?
Hello all
I have configured exim4 on Ubuntu to use a Letsencrypt certificate /
key, which is retrieved via Certbot and stored in
/etc/letsencrypt/archive, which is root-owned and has mode 700 by default.
Thus, in order to do get Exim to function, I was forced to hard-link the
private key in the exim4 config directory and make it owned by Exim.
It could be made group readable or whatever else, but in the end the
solution of changing file permissions is not really satisfying at all.
It would be cool if Exim could just read the file contents first and
then drop root privileges later, as e.g. Apache does.
Is that some political decision that it is not doing this or is it a
purely technical problem? I haven't spotted a feature request (i.e. bug)
for it. Should I file one? What are the odds of it getting implemented?
What are the technical hurdles?