著者: Andreas Metzler 日付: To: exim-users 題目: Re: [exim] dkim_private_key and file permissions
On 2019-11-02 Mark Hills via Exim-users <exim-users@???> wrote: > I use Exim on FreeBSD which runs as (mailnull, mail) > I have a private SSL key for this host, protected by a group. > # ls -l /etc/ssl/local.key
> -rw-r----- 1 root ssl 1679 Oct 14 2018 /etc/ssl/local.key [...] > But now I am enabling DKIM, I find the file cannot be read: > unable to open file for reading: /etc/ssl/local.key > Presumably this is after switching root->mailnull. > Adding 'mailnull' to the 'ssl' group dooesn't work; seemingly because exim
> doesn't call initgroups(). Should it? > What's the best practice here? I don't want to make the private key
> 'world' readable to all users on the host. [...]
Hello,
You might get away with setting initgroups on router and/or transport
for the moment. However this might stop working anytime for *incoming*
TLS since it is not documented to work ("These files need to be [...]
readable by the Exim user.")
How about making a copy of the cert for exim with proper restricted
permissions? - You'll probably have some kind of script for cert
updates, HUP-ing the daemons that need it, anyway.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'