Debian jessie possible permission issue for exim4

With the 700 settings of /etc/letsencrypt/live/ and /etc/letsencrypt/archives/, I’m getting TLS errors from exim4

e.g. 2015-11-18 12:11:01 TLS error on connection from mail-io0-f170.google.com [209.85.223.170] (cert/key setup: cert=/etc/exim4/exim.crt│key=/etc/exim4/exim.key): Error while reading file.

Normal rights for those files are 640 root.Debian-exim
(taken from another system):
-rw-r----- 1 root Debian-exim 749 avr 30 2009 exim.crt
-rw-r----- 1 root Debian-exim 887 avr 30 2009 exim.key

At first I’ve changed /etc/letsencrypt/archives/ to 755 and restarted exim but I’m still getting the error.

1 Like

That's incredibly dangerous as anybody on your server will be able to read your private keys.

I'm working around the issue by simply copying the certificate to /etc/exim4 folder before restarting exim

cp /etc/letsencrypt/live/smtp.example.com/{fullchain,privkey}.pem /etc/exim4/
chown root:Debian-exim /etc/exim4/*.pem
chmod 640 /etc/exim4/*.pem
service exim4 reload

Note that to avoid certificates being briefly world readable between the first two commands, I removed world readable on the /etc/exim4/ folder. here are the permissions in the folder

# ls -la /etc/exim4/
total 132
drwxr-x---   3 root Debian-exim  4096 Nov 19 03:30 .
drwxr-xr-x 153 root root        12288 Nov 13 07:49 ..
drwxr-xr-x   9 root root         4096 Feb 25  2012 conf.d
-rw-r--r--   1 root root        77168 Feb 17  2015 exim4.conf.template
-rw-r-----   1 root Debian-exim  3489 Nov 17 07:30 fullchain.pem
-rw-r-----   1 root Debian-exim   204 May 12  2011 passwd.client
-rw-r-----   1 root Debian-exim  1712 Nov 17 07:30 privkey.pem
-rw-r--r--   1 root root        17712 Dec 26  2011 sa-exim.conf
-rw-r--r--   1 root root         1091 Oct  3 12:01 update-exim4.conf.conf
1 Like

Thank you vmeurisse.

Yeah, I’m aware of the danger. However it’s a dedicated server and I’m the only one having access.

Just reporting the issue at this stage. Maybe LE team will like to work around the issue.

I like your approach however and it’s probably what I’ll do if LE team does nothing about it. Append your script to my bi-monthly renewal script.

any update to this? I have similar problem