Re: [exim] dkim_private_key and file permissions

Góra strony
Delete this message
Reply to this message
Autor: Andreas Metzler
Data:  
Dla: exim-users
Temat: Re: [exim] dkim_private_key and file permissions
On 2019-11-02 Mark Hills via Exim-users <exim-users@???> wrote:
> I use Exim on FreeBSD which runs as (mailnull, mail)


> I have a private SSL key for this host, protected by a group.


> # ls -l /etc/ssl/local.key
> -rw-r----- 1 root ssl 1679 Oct 14 2018 /etc/ssl/local.key

[...]
> But now I am enabling DKIM, I find the file cannot be read:


> unable to open file for reading: /etc/ssl/local.key


> Presumably this is after switching root->mailnull.


> Adding 'mailnull' to the 'ssl' group dooesn't work; seemingly because exim
> doesn't call initgroups(). Should it?


> What's the best practice here? I don't want to make the private key
> 'world' readable to all users on the host.

[...]

Hello,

You might get away with setting initgroups on router and/or transport
for the moment. However this might stop working anytime for *incoming*
TLS since it is not documented to work ("These files need to be [...]
readable by the Exim user.")

How about making a copy of the cert for exim with proper restricted
permissions? - You'll probably have some kind of script for cert
updates, HUP-ing the daemons that need it, anyway.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'