On 03 Sep 2017, at 12:38 PM, Tom Browder <tom.brow...@gmail.com> wrote:
> The docs mention not to use root or postfix for the "-u UID" option. Then > what user should it be? Is a new user to be created for that purpose? Yes. > Should that same user own the /var/db/dkim directory and files? No. The idea is that opendkim’s files must be read only, so that someone who manages to remote control the opendkim process cannot use this to fiddle with the filesystem and opendkim’s settings. You achieve this by making your files owned by one user (Wietse recommended root) and have another user (example: user opendkim) run the opendkim process. In the process, the opendkim process can look, but not touch. In addition, make the secret readable by root only. Opendkim will read the secret as root on startup, then drop privileges so that anyone who takes over the opendkim user cannot read the secret. Regards, Graham —
smime.p7s
Description: S/MIME cryptographic signature
