Re: [exim] dkim_private_key and file permissions

Góra strony
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Dla: exim-users
Temat: Re: [exim] dkim_private_key and file permissions
Mark Hills via Exim-users <exim-users@???> (Sa 02 Nov 2019 01:35:20 CET):
> I use Exim on FreeBSD which runs as (mailnull, mail)
>
> I have a private SSL key for this host, protected by a group.
>
> # ls -l /etc/ssl/local.key
> -rw-r----- 1 root ssl 1679 Oct 14 2018 /etc/ssl/local.key
>
> Applications can use the private key either because they:
>
> a) start as root, and drop priviledges
> b) are in the 'ssl' unix group
>
> For Exim, (a) is fine and works for tls_privatekey.


… on the receiving side, because the listener already set up the the
supplementary groups. With tls_* transport options you'd have the same
issue as with the dkim private key.

> But now I am enabling DKIM, I find the file cannot be read:
> unable to open file for reading: /etc/ssl/local.key
> Presumably this is after switching root->mailnull.
>
> Adding 'mailnull' to the 'ssl' group dooesn't work; seemingly because exim
> doesn't call initgroups(). Should it?


Yes, there is an initgroup generic routers and transport option,
defaulting to false. In your case, as signing happens at transport time,
using the initgroups transport option should do the trick.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -