Patrik Schindler: > Each and every time, Opendkim wakes up by work from Postfix, it creates > a log entry: > > key data is not secure: <filename>.private is in group 133 which has multiple > users (e.g., "postfix") > > This issue has been existing since 2015 (when I added DKIM to my mailflow) and > the according Debian release. > > Opendkim has its own group and for proper access rights from postfix, added > postfix to the opendkim group. If I don't set this, I get > > Oct 3 14:17:33 myhost postfix/smtpd[123464]: warning: connect to Milter > service unix:/var/run/opendkim/opendkim.sock: Permission denied > > Setting RequireSafeKeys to "no" not prevent the message from appearing, but > just prevents Opendkim from exiting because of this condition. > > I think that group rights should not trigger this behavior, but instead only > when "other" is allowed to read the private key.
Can you include the steps to reproduce this? I don’t see this behaviour on my installation (opendkim 2.11.0~beta2-5). Some of my configuration bits below: $ grep -i -e keyfile -e userid -e umask -e socket -e requiresafekeys /etc/opendkim.conf KeyFile /etc/dkimkeys/2020.private UserID opendkim UMask 007 Socket local:/var/spool/postfix/opendkim/opendkim.sock $ sudo ls -ld /etc/dkimkeys{,/2020.private} drwx------ 2 opendkim opendkim 4096 Aug 25 2021 /etc/dkimkeys -rw------- 1 opendkim opendkim 1679 Nov 20 2020 /etc/dkimkeys/2020.private $ sudo ls -ld /var/spool/postfix/opendkim{,/opendkim.sock} drwxr-x--- 2 opendkim opendkim 27 Sep 29 16:32 /var/spool/postfix/opendkim srwxrwx--- 1 opendkim opendkim 0 Sep 29 16:32 /var/spool/postfix/opendkim/opendkim.sock $ groups postfix | grep -o opendkim opendkim