Autor: Mark Hills
Data:
A: exim-users
Assumpte: [exim] dkim_private_key and file permissions
I use Exim on FreeBSD which runs as (mailnull, mail)
I have a private SSL key for this host, protected by a group.
# ls -l /etc/ssl/local.key
-rw-r----- 1 root ssl 1679 Oct 14 2018 /etc/ssl/local.key
Applications can use the private key either because they:
a) start as root, and drop priviledges
b) are in the 'ssl' unix group
For Exim, (a) is fine and works for tls_privatekey.
But now I am enabling DKIM, I find the file cannot be read:
unable to open file for reading: /etc/ssl/local.key
Presumably this is after switching root->mailnull.
Adding 'mailnull' to the 'ssl' group dooesn't work; seemingly because exim
doesn't call initgroups(). Should it?
What's the best practice here? I don't want to make the private key
'world' readable to all users on the host.
Thanks
--
Mark