exim4 shared key permission on Debian

Question

On Debian, the exim4 key file is supposed to be /etc/exim4/exim.key with permissions:

chmod 640 exim.key
chown root:Debian-exim exim.key

If I have already a key file in /etc/ssl/private, owned by group ssl-cert, how can I recycle it for exim?

If I change the group of /etc/ssl/private dir to Debian-exim it works, but then for instance I would need to add openldap to the Debian-exim group, in order to use the key for slapd. Pretty unobvious, isn't it?

Adding Debian-exim to the ssl-cert group doesn't work: it is the exim software itself to blame the configuration as unsafe.

Which is the best-practice solution?

Andrew Schulman · Accepted Answer · 2018-01-26T11:13:04.607

6

If you use ACLs to make the key file readable by the Debian-exim group, does exim accept that?

setfacl -m g:Debian-exim:x /etc/ssl/private
setfacl -m g:Debian-exim:r /etc/ssl/private/key.pem

edited Jan 26 '18 at 11:13

answered Jan 25 '18 at 22:16

Andrew Schulman

9,142

exim4 shared key permission on Debian

1 Answers1

Linked