I saw /etc/exim.conf is world-readable. The issue with this is to configure Exim to use an SMTP service like Sendgrid to route all outgoing email, you put your username and password into that file, which would then allow unprivileged users on the server to obtain it.
Is there any reason why this file can't be made only readable by root? I wonder why it wouldn't default to that given the possibility of it containing sensitive information. Does anyone know?
-rw-r--r-- 1 root root 57523 Jun 19 23:16 /etc/exim.conf
Best Answer
Normally passwords would go into a password file and be read as need by the transport that needs it. The example configuration should contain auth examples for both server and client connections. It is possible to configure multiple authentication methods for server authentication and/or client authentication.
Exim uses two passwords files by default:
/etc/exim/passwdfor users connecting to exim, and/etc/exim/passwd.clientwhen exim is connecting to a remote server.