exim4 shared key permission on Debian

On Debian, the exim4 key file is supposed to be /etc/exim4/exim.key with permissions:

chmod 640 exim.key
chown root:Debian-exim exim.key

If I have already a key file in /etc/ssl/private, owned by group ssl-cert, how can I recycle it for exim?

If I change the group of /etc/ssl/private dir to Debian-exim it works, but then for instance I would need to add openldap to the Debian-exim group, in order to use the key for slapd. Pretty unobvious, isn't it?

Adding Debian-exim to the ssl-cert group doesn't work: it is the exim software itself to blame the configuration as unsafe.

Which is the best-practice solution?


Solution 1:

If you use ACLs to make the key file readable by the Debian-exim group, does exim accept that?

setfacl -m g:Debian-exim:x /etc/ssl/private
setfacl -m g:Debian-exim:r /etc/ssl/private/key.pem