Adrian via Exim-users <exim-users@???> wrote:
> I'm setting up exim4 on a new server, to be as similar as possible to
> an existing server where exim4 works well. Both are running Debian
> buster with split config files.
>
> I'm getting the following error in the mainlog
> TLS error on connection from email-test.had.dnsops.gov [129.6.100.206]
> (cert/key setup:
> cert=/etc/letsencrypt/live/example.com/fullchain.pem
> key=/etc/exim4/privkey.pem): Error while reading file.
>
> The cert file path is a symlink to the actual file
> in /etc/letsencrypt which is world-readable.
>
> The key file is /etc/exim4/privkey.pem which is a COPY of the live
> one in /etc/letsencrypt. When the key is renewed by certbot a script
> recreates the copy in /etc/exim4 and runs the following script
>
> chgrp Debian-exim /etc/exim4/privkey.pem
> setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem
> # setfacl -m g:Debian-exim:x /etc/exim4 seems not needed for this dir
> systemctl restart dovecot
>
> This is the output of getfacl and ls -l and is the same for the existing
> and the new server.
>
> getfacl privkey.pem
> # file: privkey.pem
> # owner: root
> # group: Debian-exim
> user::rw-
> group::r--
> group:Debian-exim:r--
> mask::r--
> other::---
>
> ls -l privkey.pem
> -rw-r-----+ 1 root Debian-exim 1704 Jun 26 12:42 privkey.pem
>
> The existing server works, the new server can't do TLS and reports
> 'Error while reading file'.
>
> Exim4 is running as user Debian-Exim. I've tried setting initgroups =
> true.
>
> Is there a way to increase debug verbosity? E.g. so that exim4
> confirms which file it can't read, the cert or the key file.
>
> ..or anything else, even brief relaxation of permissions, that might
> help identify where the problem lies.
>
> I have to confess now that I don't generally understand the answers
> here. Please would you explain in terms that tell me the commands
> to issue, and what to add or change in which files. Thanks!
>
lsattr - list file attributes on a Linux second
extended file system
I doubt this is the problem, but I have nothing better to offer.
--
u34
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/