3

On Debian, the exim4 key file is supposed to be /etc/exim4/exim.key with permissions:

chmod 640 exim.key
chown root:Debian-exim exim.key

If I have already a key file in /etc/ssl/private, owned by group ssl-cert, how can I recycle it for exim?

If I change the group of /etc/ssl/private dir to Debian-exim it works, but then for instance I would need to add openldap to the Debian-exim group, in order to use the key for slapd. Pretty unobvious, isn't it?

Adding Debian-exim to the ssl-cert group doesn't work: it is the exim software itself to blame the configuration as unsafe.

Which is the best-practice solution?

473183469
  • 1,350
  • 1
  • 12
  • 23

1 Answers1

4

If you use ACLs to make the key file readable by the Debian-exim group, does exim accept that?

setfacl -m g:Debian-exim:x /etc/ssl/private
setfacl -m g:Debian-exim:r /etc/ssl/private/key.pem
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
  • 1
    Thank you so much. But why doesnt beeing in the group ssl-certs grant access? – user56452 Feb 09 '20 at 21:55
  • Erf. Good question. Is /etc/ssl/private executable by the ssl-cert group? – Andrew Schulman Feb 10 '20 at 17:43
  • I think it has to do with exim explicitly checking for gid ownership. Merely having DAC access to it is not enough. I checked if I could read it via "sudo -u Debian-Exim" if I could read the file and that worked because I added the user to the ssl-certs group in /etc/group. But exim would not read it without your acl magic. – user56452 Feb 12 '20 at 16:17