Just a small nit: running opendkim as user opendkim in the systemd service file completely defeats the ability of opendkim to drop privileges *after* reading the private keys as root. I suspect most people aren't aware that having a daemon start as root and drop privileges itself is a security feature?
Anyway, don't specify "User" and "Group" in the service file, but do use the "-u opendkim" option. And then make the private keys owned by root. -- Harald On 3 September 2017 at 11:45, pgndev <pgnet....@gmail.com> wrote: > fyi, if you prefer a dedicated user approach, just need to make sure > you're consistent, > > groupdel opendkim > groupadd opendkim > useradd opendkim -g opendkim -G "" -s /bin/false -d /var/run/opendkim -M > usermod -a -G opendkim postfix > > id opendkim > uid=5117(opendkim) gid=5117(opendkim) groups=5117(opendkim) > id postfix > uid=5001(postfix) gid=5001(postfix) groups=5001(postfix),12(mail), > 5002(postdrop),...,5117(opendkim),... > > > cat /etc/systemd/system/opendkim.service > ... > [Service] > User=opendkim > Group=opendkim > Type=forking > PIDFile=/var/run/opendkim/opendkim.pid > ExecStart=/opt/opendkim/sbin/opendkim -l -x > /usr/local/etc/opendkim/opendkim.conf > -u opendkim > ... > > cat /usr/local/etc/opendkim/opendkim.conf > ... > UserID opendkim:opendkim > Socket local:/var/run/opendkim/opendkim.sock > PidFile /var/run/opendkim/opendkim.pid > ... > > cat /usr/local/etc/opendkim/key_table > dkim-56..._domainkey.example1.com example1.com:dkim-56...:/usr/ > local/etc/sec/dkim/dkim-146...example1.com.key.pem > dkim-0e..._domainkey.example2.com example2.com:dkim-0e...:/usr/ > local/etc/sec/dkim/dkim-146...example2.com.key.pem > ... > > ls -alr /var/run/opendkim > total 4.0K > srwxrwxr-x 1 opendkim opendkim 0 Sep 2 09:33 opendkim.sock= > -rw-r--r-- 1 opendkim opendkim 5 Sep 2 09:33 opendkim.pid > drwxr-xr-x 42 root root 1.2K Sep 3 08:06 ../ > drwxr-xr-x 2 opendkim opendkim 80 Sep 2 09:33 ./ > > ls -alr /usr/local/etc/opendkim > total 40K > -rw-rw-r--+ 1 opendkim opendkim 93 May 30 2016 trusted_hosts > -rw-r-----+ 1 opendkim opendkim 2.1K May 30 2016 signing_table > -rw-r-----+ 1 opendkim opendkim 7.6K May 30 08:26 opendkim.conf > -rw-r-----+ 1 opendkim opendkim 4.1K May 30 2016 key_table > drwxrwxr-x+ 32 root root 4.0K Aug 28 07:30 ../ > drwxr-xr-x+ 2 opendkim opendkim 4.0K May 30 2016 ./ > > ls -al /usr/local/etc/sec/dkim > total 384K > drwxr-xr-x 2 opendkim opendkim 12K May 30 2016 ./ > drwxr-xr-x 10 root root 4.0K Aug 28 07:32 ../ > -rw------- 1 opendkim opendkim 1.7K May 30 2016 > dkim-14...example1.com.key.pem > -rw------- 1 opendkim opendkim 451 May 30 2016 > dkim-14...example1.com.pubkey.pem > -rw------- 1 opendkim opendkim 1.7K May 30 2016 > dkim-14...example2.com.key.pem > -rw------- 1 opendkim opendkim 451 May 30 2016 > dkim-14...example2.com.pubkey.pem > ... > > cat /usr/local/etc/postfix/master.cf > ... > [127.0.0.1]:10005 inet n - n - - smtpd > -o smtpd_milters=...,unix:/var/run/opendkim/opendkim.sock,... > ... > [int.mx.MYDOMAIN.COM]:587 inet n - n - - smtpd > -o smtpd_milters=...,unix:/var/run/opendkim/opendkim.sock,... > ... > > cat /usr/local/etc/postfix/main.cf > ... > authorized_submit_users = ..., opendkim, ... > ... > > > works well here. > > hth. > > >
