Re: [exim] dkim_private_key and file permissions

On 2019-11-02 Mark Hills via Exim-users <exim-users@???> wrote:
> I use Exim on FreeBSD which runs as (mailnull, mail)

> I have a private SSL key for this host, protected by a group.

> # ls -l /etc/ssl/local.key
> -rw-r----- 1 root ssl 1679 Oct 14 2018 /etc/ssl/local.key
[...]
> But now I am enabling DKIM, I find the file cannot be read:

> unable to open file for reading: /etc/ssl/local.key

> Presumably this is after switching root->mailnull.

> Adding 'mailnull' to the 'ssl' group dooesn't work; seemingly because exim
> doesn't call initgroups(). Should it?

> What's the best practice here? I don't want to make the private key
> 'world' readable to all users on the host.
[...]

Hello,

You might get away with setting initgroups on router and/or transport
for the moment. However this might stop working anytime for *incoming*
TLS since it is not documented to work ("These files need to be [...]
readable by the Exim user.")

How about making a copy of the cert for exim with proper restricted
permissions? - You'll probably have some kind of script for cert
updates, HUP-ing the daemons that need it, anyway.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'