Re: [exim] Unix user / and group(s) of the process doing the SMTP delivery to a remot MTA?
Hi Anton On Freitag, 7. Januar 2022 18:08:12 CET Anton via Exim-users wrote: > On 07-01-22 17:23, Michael Naef via Exim-users wrote: > > Hi everyone > > > > I'm testing to offer a TLS client Cert when Exim acts as an SMTP client to > > a remote MTA. > > hi Michael, > > try to add "initgroups = true" to transport? Bingo! As the documentation says: https://www.exim.org/exim-html-current/doc/html/ spec_html/ch-generic_options_for_routers.html "If the router queues an address for a transport, and this option is true, and the uid supplied by the router is not overridden by the transport, the initgroups() function is called when running the transport to ensure that any additional groups associated with the uid are set up. See also group and user and the discussion in chapter 23. " --> "...to ensure that any additional groups associated with the uid are set up" This exactly what's missed: now the additional group 'ssl' to which 'mailnull', the exim_user, belongs to in my set-up is applied to the process and the certificate is readable. Thanks for the pointer! Michael signature.asc Description: This is a digitally signed message part. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unix user / and group(s) of the process doing the SMTP delivery to a remot MTA?
Michael Naef via Exim-users (Fr 07 Jan 2022 17:23:38 CET): > Hi everyone > > I'm testing to offer a TLS client Cert when Exim acts as an SMTP client to a > remote MTA. When Exim runs as an SMTP client, it should perform the actual delivery as the Exim runtime user/group. Try running exim -bP exim_user exim_group to check the actual values. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unix user / and group(s) of the process doing the SMTP delivery to a remot MTA?
On 07-01-22 17:23, Michael Naef via Exim-users wrote: Hi everyone I'm testing to offer a TLS client Cert when Exim acts as an SMTP client to a remote MTA. hi Michael, try to add "initgroups = true" to transport? A. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unix user / and group(s) of the process doing the SMTP delivery to a remot MTA?
On 07/01/2022 16:23, Michael Naef via Exim-users wrote: However exim is unable to read the private key unless I make it world readable ... or you make it readable by the group exim runs as. Or the user exim runs as. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Unix user / and group(s) of the process doing the SMTP delivery to a remot MTA?
Hi everyone I'm testing to offer a TLS client Cert when Exim acts as an SMTP client to a remote MTA. However exim is unable to read the private key unless I make it world readable (Which I obviously dont't want to do): 2022-01-07 17:12:07 1n5rcx-0008mU-OP == a...@b.tld R=dnslookup T=remote_smtp defer (-37) H=my.tld [1.2.3.4]:25: TLS session: (SSL_CTX_use_PrivateKey_file file=/usr/[..]/privkey4.pem): error:0200100D:system library:fopen:Permission denied As what user is exim reading the TLS private key when it is acting as a TLS client and configured to offe ar client cert? I couldn't find and figure it out in the documentation... Is it fri(y)day-blindness? ;) [root@atlantis ~]# ps auxww | grep exim mailnull 24202 0.0 0.0 22572 11512 - Ss 16:220:00.07 /usr/ local/sbin/exim -bd -q12m root 98363 0.0 0.0 11280 2336 1 R+ 17:180:00.00 grep exim [root@atlantis ~]# procstat credential 24202 PID COMM EUID RUID SVUID EGID RGID SVGID UMASK FLAGS GROUPS 24202 exim262626 6 6 6 000 - 6,3009 [root@atlantis ~]# id mailnull id=26(mailnull) gid=26(mailnull) groups=26(mailnull),3009(ssl) [root@atlantis ~]# ls -l /usr/[..]/privkey4.pem -rw-r- 1 root ssl 1704 Oct 28 11:44 /usr/[..]/privkey4.pem [root@atlantis ~]# sudo -u mailnull head -1 /usr/local/etc/letsencrypt/ archive/atlantis.aeolus.ch/privkey4.pem -BEGIN PRIVATE KEY- Thanks for other eyes what my mistake could be... Best Rregards, Michael -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] GMail and TCP Fast Open
On 2021-12-03 12:00, Andrew C Aitchison wrote: > > I am just passing on, with permission, something exim related > from the mailop@??? list. Thank you, Andrew, that helped me a lot. This issue appeared for me some time ago -- all messages *with attachments* (even small ones) sent to Google MX (and only to them) are timed out. They were all getting delivered but with delays of 0.5 to several hours. I have few such mails per hour, no bulk sending, DKIM and DMARC (and DANE) configured. With TCP Fast Open disabled they are now delivered immediately. Thanks! A. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/