On 2019-05-19 16:05, Arno Thuber wrote: > Exim uses my certificate and it's private key. Those data (at least > the private key) is precious and therefore not world readable on my > host. The file access rights are 640 with u=root and > g=privkey_users. The group privkey_users is an additional group with > members Debian-exim, dovecot and nginx because they all need access to > that files. That works since a year now for Exim as a server > > So now I want Exim as a client to present the certificates also but > Exim fails to load the files when trying to connect a TLS enabled host > (mainlog says "Error while reading file."). Changing the file access > rights to 644 *or* chown :Debian-exim makes it work again. But neither > is ok because it either expose the files to much or makes them > unaccessible for the other applications. > > From chapter 55 of the Exim documentation I see that Exim delivery > drops rights which it has as a server but I don't fully understand it > - or I don't understand Unix access rights. With user Debian-exim > member of privkey_users why can't it read files with access rights for > the group privkey_users?
What is the primary group of the user ID Debian-exim? I think what you report would happen if that group was something else than Debian-exim. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
