On 2017-05-26 at 23:53 +0200, basti wrote: > as I can see Exim won't use certificates when the path is a link.
Yes it will. I use symlinks. That's not what's happening here. > /etc/letsencrypt/live/mail.example.com# ls -la > insgesamt 12 > drwxr-xr-x 2 root root 4096 Mai 26 17:24 . > drwx------ 4 root root 4096 Mai 26 17:17 .. > lrwxrwxrwx 1 root root 42 Mai 26 17:24 cert.pem -> > ../../archive/mail.example.com/cert2.pem Exim is not running as root when the connection is received. It's running as the Exim Runtime User, which might be `exim`, `exim4`, `_exim`, `mailnull` or something else, depending upon your system. Because the values of the paths are subject to string expansion, they can't be pre-loaded while root. The key and cert need to be readable by the Exim runtime user, using the path as given. So you have `/etc/letsencrypt/live` permission 0700 (according to the `..` line above) and a cert in `/etc/letsencrypt/archive/mail.example.com/cert2.pem` which is readable to the runtime user, but the runtime user can't figure out where `../../` is because the OS, when given that path, is returning errors. Run: chmod 0711 /etc/letsencrypt/live That will give "lookup" permission on the directory, to resolve a fixed name, without needing to be able to enumerate the directory contents, to every user. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
