Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
TLS key file
exim-users at exim
Apr 27, 2019, 9:51 PM
Post #1 of 4 (414 views)
Permalink
When is the file specified by tls_privatekey read, in a daemon exim?
Once at startup, or every time a TLS connection is made?

IOW, does exim need to be SIGHUPed when the file changes? And does the
file need to be readable by the exim user or group id?

Thanks.

--
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: TLS key file [ In reply to ]
exim-users at exim
Apr 28, 2019, 12:51 AM
Post #2 of 4 (411 views)
Permalink
On 28/04/2019 05:51, Ian Zimmerman via Exim-users wrote:
> When is the file specified by tls_privatekey read, in a daemon exim?
> Once at startup, or every time a TLS connection is made?

Every connection

> IOW, does exim need to be SIGHUPed when the file changes?

No

> And does the
> file need to be readable by the exim user or group id?

Yes; exim runs as much of the time as it can not being
root.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: TLS key file [ In reply to ]
exim-users at exim
Apr 28, 2019, 1:38 AM
Post #3 of 4 (414 views)
Permalink
On 27/04/19, Ian Zimmerman via Exim-users (exim-users@exim.org) wrote:
> ... And does the file need to be readable by the exim user or group
> id?

The certificate file/s definitely do need to be readable by exim. I have
a cludge script for my letsencrypt certs to copy them to the exim4
directory and change ownership to do just that. A better approach would
probably to add the exim user to a "certs" group and chgrp the
certificates.

Rory

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: TLS key file [ In reply to ]
exim-users at exim
Apr 28, 2019, 2:05 AM
Post #4 of 4 (414 views)
Permalink
Ian Zimmerman via Exim-users <exim-users@exim.org> wrote:
> When is the file specified by tls_privatekey read, in a daemon exim?
> Once at startup, or every time a TLS connection is made?

The latter. (Which needs to be that way since
tls_privatekey/tls_certificate are expanded and might point to
different files depending on the connecting host or received SNI)

> IOW, does exim need to be SIGHUPed when the file changes?

No.

> And does the
> file need to be readable by the exim user or group id?

Yes, either exim user or exim group neds read access, I am using 0640
root:eximuser.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal