Re: [exim] tls_privatekey mode 644 / root owned -- why is it…

Top Page
Delete this message
Reply to this message
Author: Chris Siebenmann
Date:  
To: Patrick Pfeifer
CC: exim-users, cks
Subject: Re: [exim] tls_privatekey mode 644 / root owned -- why is it read only after privileges have been droppped ?
> I have configured exim4 on Ubuntu to use a Letsencrypt
> certificate / key, which is retrieved via Certbot and stored in
> /etc/letsencrypt/archive, which is root-owned and has mode 700 by
> default.
>
> Thus, in order to do get Exim to function, I was forced to hard-link
> the private key in the exim4 config directory and make it owned by
> Exim.
>
> It could be made group readable or whatever else, but in the end the
> solution of changing file permissions is not really satisfying at all.


Beyond other practical issues (as already discussed), I think it's
worth mentioning that making the file accessible to the Exim UID is
being clearly honest about your security exposure for the private
key. Regardless of how it gets loaded into the process, Exim requires
access to the private key during the SMTP conversation in order to
establish the TLS session. It follows that if someone compromises Exim
at that point, they can extract the private key, and if they can run
things as the Exim UID they can probably do that.

Given this, having the private key file clearly accessible to the
Exim UID is a big sign of what the actual exposure is. If having the
key accessible this way is alarming, you need to segregate the key so
that it's only useful for SMTP (for example by using a different host
name for inbound email than for, eg, a website, and thus different keys
and certificates for each). Let's Encrypt generally makes this both free
and easy.

    - cks