In main.cf I have
smtpd_tls_dh1024_param_file = /etc/postfix/dh4096.pem
The permissions on these files are 400 (probably far more restrictive
than necessary). Since a cron scripts generates these files monthly, I
use a symlink to a subdir to avoid cluttering /etc/postfix:
# ls -l dh*
lrwxrwxrwx 1 root root 20 Mar 5 20:14 dh1536.pem -> dh/dh1536.pem.201703
lrwxrwxrwx 1 root root 13 Mar 5 21:21 dh4096.pem -> dh/dh4096.pem
dh:
total 24
drwxr-x--- 2 root root 4096 Mar 5 20:15 .
drwxr-xr-x 4 root root 4096 Mar 5 21:21 ..
-r-------- 1 root root 335 Mar 5 20:13 dh1536.pem.201703
-r-------- 1 root root 335 Mar 5 20:14 dh1536.pem.201704
-r-------- 1 root root 769 Mar 1 22:20 dh4096.pem.201703
-r-------- 1 root root 769 Mar 3 17:24 dh4096.pem.201704
and yet
# postfix check
postfix/postfix-script: warning: group or other writable:
/usr/local/etc/postfix/./dh1536.pem
postfix/postfix-script: warning: group or other writable:
/usr/local/etc/postfix/./dh4096.pem
so it appears that postfix is reading the symlink mode rather than the
mode of its target (i.e. it is doing lstat instead of stat).
-Earl
