On 2019-11-02 Mark Hills via Exim-users <[email protected]> wrote:
> I use Exim on FreeBSD which runs as (mailnull, mail)
> I have a private SSL key for this host, protected by a group.
> # ls -l /etc/ssl/local.key
> -rw-r----- 1 root ssl 1679 Oct 14 2018 /etc/ssl/local.key
[...]
> But now I am enabling DKIM, I find the file cannot be read:
> unable to open file for reading: /etc/ssl/local.key
> Presumably this is after switching root->mailnull.
> Adding 'mailnull' to the 'ssl' group dooesn't work; seemingly because exim
> doesn't call initgroups(). Should it?
> What's the best practice here? I don't want to make the private key
> 'world' readable to all users on the host.
[...]
Hello,
You might get away with setting initgroups on router and/or transport
for the moment. However this might stop working anytime for *incoming*
TLS since it is not documented to work ("These files need to be [...]
readable by the Exim user.")
How about making a copy of the cert for exim with proper restricted
permissions? - You'll probably have some kind of script for cert
updates, HUP-ing the daemons that need it, anyway.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
