I'm setting up exim4 on a new server, to be as similar as possible to an existing server where exim4 works well. Both are running Debian buster with split config files.
I'm getting the following error in the mainlog TLS error on connection from email-test.had.dnsops.gov [129.6.100.206] (cert/key setup: cert=/etc/letsencrypt/live/example.com/fullchain.pem key=/etc/exim4/privkey.pem): Error while reading file. The cert file path is a symlink to the actual file in /etc/letsencrypt which is world-readable. The key file is /etc/exim4/privkey.pem which is a COPY of the live one in /etc/letsencrypt. When the key is renewed by certbot a script recreates the copy in /etc/exim4 and runs the following script chgrp Debian-exim /etc/exim4/privkey.pem setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem # setfacl -m g:Debian-exim:x /etc/exim4 seems not needed for this dir systemctl restart dovecot This is the output of getfacl and ls -l and is the same for the existing and the new server. getfacl privkey.pem # file: privkey.pem # owner: root # group: Debian-exim user::rw- group::r-- group:Debian-exim:r-- mask::r-- other::--- ls -l privkey.pem -rw-r-----+ 1 root Debian-exim 1704 Jun 26 12:42 privkey.pem The existing server works, the new server can't do TLS and reports 'Error while reading file'. Exim4 is running as user Debian-Exim. I've tried setting initgroups = true. Is there a way to increase debug verbosity? E.g. so that exim4 confirms which file it can't read, the cert or the key file. ..or anything else, even brief relaxation of permissions, that might help identify where the problem lies. I have to confess now that I don't generally understand the answers here. Please would you explain in terms that tell me the commands to issue, and what to add or change in which files. Thanks! -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
