Re: [exim] Error while reading cert or key file
Adrian via Exim-users (So 04 Jul 2021 22:48:08 CEST):
> I'm setting up exim4 on a new server, to be as similar as possible to
> an existing server where exim4 works well. Both are running Debian
> buster with split config files.
>
> I'm getting the following error in the mainlog
> TLS error on connection from email-test.had.dnsops.gov [129.6.100.206]
> (cert/key setup:
> cert=/etc/letsencrypt/live/example.com/fullchain.pem
> key=/etc/exim4/privkey.pem): Error while reading file.
First of all: make sure that the certificate matches the key:
Compare the modulus of they used for the cert with the modulus of the
key in your key file, do this as the Exim runtime user:
cd /
sudo -u Debian-exim openssl x509 -in
/etc/letsencrypt/live/example.com/fullchain.pem -noout -modulus
sudo -u Debian-exim openssl rsa -in /etc/exim4/privkey.pem -noout
-modulus
> The cert file path is a symlink to the actual file
> in /etc/letsencrypt which is world-readable.
>
> The key file is /etc/exim4/privkey.pem which is a COPY of the live
> one in /etc/letsencrypt. When the key is renewed by certbot a script
> recreates the copy in /etc/exim4 and runs the following script
>
> chgrp Debian-exim /etc/exim4/privkey.pem
> setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem
> # setfacl -m g:Debian-exim:x /etc/exim4 seems not needed for this dir
> systemctl restart dovecot
~~~
Why dovecot? If, then Exim. But Exim reads the cert *on demand*, each
time for each connection, so there is no need to restart-or-reload Exim
because of a certificate change. (Of course, as long as the path doesn't
change.)
> Is there a way to increase debug verbosity? E.g. so that exim4
> confirms which file it can't read, the cert or the key file.
You can start the daemon in the forground with TLS debugging, on a
"private" port (if TLS doesn't suffice, try -d+tls, and then -d+all
instead of -d-all+tls)
exim -d-all+tls -bdf -oX 2525
and then connect using a SSL client:
openssl s_client -connect localhost:2525 -starttls smtp << ..or anything else, even brief relaxation of permissions, that might
> help identify where the problem lies.
You can do chmod a+r on the key and the cert for testing purpose, Exim
doesn't check the permissions (and the SSL libraries don't check either,
I believe)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Better way to deal with phished users?
Hi, I have again and again problems with phished users. I want to try a new way to deal with them but I worry that I mess up parts of our monitoring. One sign of a phished user (if they do not try to log in from lots of different countries) is that they amass in a short time quite some time in my mail queue. Thus my idea is to check if there is such a user via my monitoring system and when one is detected, there is a handler that will freeze that user and all their current mail in the queue. The part of detecting the spam-user via their count of mails in the queue is tested and already gave us far better reaction times, the hit ratio is like 90% of the time it is a spammer, the other times it is a legitimate user with some other problem (and mails from users who regularly generate messages like spammers by newsletters and such are already automatically moved to another mail-server) The freezing will give the administrators time to check if it is spam or not (like 30 mails all with a big alphabetical list going to one domain like hotmail.com) and then handle it as we usually handle those cases. Our timeout_after_frozen-timeout is currently rather short (5 minutes) and I wonder if I increase it like to 16hours (enough time to check on a user, even when it happens late in the evening on a saturday and you don’t want to check on a sunday morning first thing) there will be new problems coming up. Like frozen messages living in my queue and mess up my monitoring like the amount of mails in the queue. Iirc exim introduced multiple queues a while ago, do I remember correctly? Could I move those mails from such a user to a new queue, so that for example exim -bpc won’t count them? Or is there a better way than my idea above? Best, Niels smime.p7s Description: S/MIME cryptographic signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error while reading cert or key file
Adrian via Exim-users wrote: > I'm setting up exim4 on a new server, to be as similar as possible to > an existing server where exim4 works well. Both are running Debian > buster with split config files. > > I'm getting the following error in the mainlog > TLS error on connection from email-test.had.dnsops.gov [129.6.100.206] > (cert/key setup: > cert=/etc/letsencrypt/live/example.com/fullchain.pem > key=/etc/exim4/privkey.pem): Error while reading file. > > The cert file path is a symlink to the actual file > in /etc/letsencrypt which is world-readable. > > The key file is /etc/exim4/privkey.pem which is a COPY of the live > one in /etc/letsencrypt. When the key is renewed by certbot a script > recreates the copy in /etc/exim4 and runs the following script > > chgrp Debian-exim /etc/exim4/privkey.pem > setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem > # setfacl -m g:Debian-exim:x /etc/exim4 seems not needed for this dir > systemctl restart dovecot > > This is the output of getfacl and ls -l and is the same for the existing > and the new server. > > getfacl privkey.pem > # file: privkey.pem > # owner: root > # group: Debian-exim > user::rw- > group::r-- > group:Debian-exim:r-- > mask::r-- > other::--- > > ls -l privkey.pem > -rw-r-+ 1 root Debian-exim 1704 Jun 26 12:42 privkey.pem > > The existing server works, the new server can't do TLS and reports > 'Error while reading file'. > > Exim4 is running as user Debian-Exim. I've tried setting initgroups = > true. > > Is there a way to increase debug verbosity? E.g. so that exim4 > confirms which file it can't read, the cert or the key file. > > ..or anything else, even brief relaxation of permissions, that might > help identify where the problem lies. > > I have to confess now that I don't generally understand the answers > here. Please would you explain in terms that tell me the commands > to issue, and what to add or change in which files. Thanks! > lsattr - list file attributes on a Linux second extended file system I doubt this is the problem, but I have nothing better to offer. -- u34 > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Error while reading cert or key file
I'm setting up exim4 on a new server, to be as similar as possible to an existing server where exim4 works well. Both are running Debian buster with split config files. I'm getting the following error in the mainlog TLS error on connection from email-test.had.dnsops.gov [129.6.100.206] (cert/key setup: cert=/etc/letsencrypt/live/example.com/fullchain.pem key=/etc/exim4/privkey.pem): Error while reading file. The cert file path is a symlink to the actual file in /etc/letsencrypt which is world-readable. The key file is /etc/exim4/privkey.pem which is a COPY of the live one in /etc/letsencrypt. When the key is renewed by certbot a script recreates the copy in /etc/exim4 and runs the following script chgrp Debian-exim /etc/exim4/privkey.pem setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem # setfacl -m g:Debian-exim:x /etc/exim4 seems not needed for this dir systemctl restart dovecot This is the output of getfacl and ls -l and is the same for the existing and the new server. getfacl privkey.pem # file: privkey.pem # owner: root # group: Debian-exim user::rw- group::r-- group:Debian-exim:r-- mask::r-- other::--- ls -l privkey.pem -rw-r-+ 1 root Debian-exim 1704 Jun 26 12:42 privkey.pem The existing server works, the new server can't do TLS and reports 'Error while reading file'. Exim4 is running as user Debian-Exim. I've tried setting initgroups = true. Is there a way to increase debug verbosity? E.g. so that exim4 confirms which file it can't read, the cert or the key file. ..or anything else, even brief relaxation of permissions, that might help identify where the problem lies. I have to confess now that I don't generally understand the answers here. Please would you explain in terms that tell me the commands to issue, and what to add or change in which files. Thanks! -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
