exim4 shared key permission on Debian
On Debian, the exim4 key file is supposed to be /etc/exim4/exim.key
with permissions:
chmod 640 exim.key
chown root:Debian-exim exim.key
If I have already a key file in /etc/ssl/private
, owned by group ssl-cert
, how can I recycle it for exim?
If I change the group of /etc/ssl/private
dir to Debian-exim
it works, but then for instance I would need to add openldap to the Debian-exim
group, in order to use the key for slapd. Pretty unobvious, isn't it?
Adding Debian-exim
to the ssl-cert
group doesn't work: it is the exim software itself to blame the configuration as unsafe.
Which is the best-practice solution?
Solution 1:
If you use ACLs to make the key file readable by the Debian-exim group, does exim accept that?
setfacl -m g:Debian-exim:x /etc/ssl/private
setfacl -m g:Debian-exim:r /etc/ssl/private/key.pem