Patrik Schindler:
> Each and every time, Opendkim wakes up by work from Postfix, it creates
> a log entry:
>
> key data is not secure: <filename>.private is in group 133 which has multiple
> users (e.g., "postfix")
>
> This issue has been existing since 2015 (when I added DKIM to my mailflow) and
> the according Debian release.
>
> Opendkim has its own group and for proper access rights from postfix, added
> postfix to the opendkim group. If I don't set this, I get
>
> Oct 3 14:17:33 myhost postfix/smtpd[123464]: warning: connect to Milter
> service unix:/var/run/opendkim/opendkim.sock: Permission denied
>
> Setting RequireSafeKeys to "no" not prevent the message from appearing, but
> just prevents Opendkim from exiting because of this condition.
>
> I think that group rights should not trigger this behavior, but instead only
> when "other" is allowed to read the private key.
Can you include the steps to reproduce this? I don’t see this behaviour
on my installation (opendkim 2.11.0~beta2-5).
Some of my configuration bits below:
$ grep -i -e keyfile -e userid -e umask -e socket -e requiresafekeys
/etc/opendkim.conf
KeyFile /etc/dkimkeys/2020.private
UserID opendkim
UMask 007
Socket local:/var/spool/postfix/opendkim/opendkim.sock
$ sudo ls -ld /etc/dkimkeys{,/2020.private}
drwx------ 2 opendkim opendkim 4096 Aug 25 2021 /etc/dkimkeys
-rw------- 1 opendkim opendkim 1679 Nov 20 2020 /etc/dkimkeys/2020.private
$ sudo ls -ld /var/spool/postfix/opendkim{,/opendkim.sock}
drwxr-x--- 2 opendkim opendkim 27 Sep 29 16:32 /var/spool/postfix/opendkim
srwxrwx--- 1 opendkim opendkim 0 Sep 29 16:32
/var/spool/postfix/opendkim/opendkim.sock
$ groups postfix | grep -o opendkim
opendkim
