From 255f3533294d70f6dc0660a279a781d441e96c9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20D=C3=BCsterhaupt?= <me@stephanduesterhaupt.de>
Date: Sun, 17 May 2026 10:49:11 +0200
Subject: [PATCH] Tighten permissions for service-bound certificates to 440

---
 dyntls.sh    | 2 +-
 vars.example | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dyntls.sh b/dyntls.sh
index b916f66..8aa0376 100644
--- a/dyntls.sh
+++ b/dyntls.sh
@@ -481,7 +481,7 @@ _vars_setup() {
     set_var DYNTLS_SEND_MAIL                "false"
 
     set_list DYNTLS_DOMAIN_LIST             "example365.tld:sub1.example365.tld:sub2.example365.tld" 1
-    set_list DYNTLS_DOMAINSERVICE_LIST      "mail02.example365.tld:postfix:root.root:444:postfix:root:1:restart:Postfix" 1
+    set_list DYNTLS_DOMAINSERVICE_LIST      "mail02.example365.tld:postfix:root.root:440:postfix:root:1:restart:Postfix" 1
 
     set_var DYNTLS_PRODUCTIVE               0
 
diff --git a/vars.example b/vars.example
index 5d9cc86..903f20b 100644
--- a/vars.example
+++ b/vars.example
@@ -133,7 +133,7 @@
 # ------------------------------------------------------------------
 
 # Example service mapping (format: CN:pki_dir:user.group:chmod:service:owner:restartflag:restart|reload:displayname)
-#set_list DYNTLS_DOMAINSERVICE_LIST  "mail02.example365.tld:postfix:root.root:444:postfix:root:1:restart:Postfix"
+#set_list DYNTLS_DOMAINSERVICE_LIST  "mail02.example365.tld:postfix:root.root:440:postfix:root:1:restart:Postfix"
 
 # ------------------------------------------------------------------
 # OPTIONAL COMMAND HOOKS