haha I was going to mention the Arch Wiki - it also gives misleading advice. Their improved setup has private keys owned by (and writable by!) the same user that the daemon runs as. Hacked daemon -> private key compromise.
The default service file installed by the Arch package runs as root, btw, and drops privileges if you specify a "UserID" in the config file. -- Harald On 3 September 2017 at 12:08, pgndev <pgnet....@gmail.com> wrote: > fwiw, from Arch wiki > > https://wiki.archlinux.org/index.php/OpenDKIM > "The OpenDKIM daemon does not need to run as root at all (the > configuration suggested earlier will have OpenDKIM drop root privileges by > itself, but systemd can do this too and much earlier)." > > cat /etc/systemd/system/opendkim.service > ... > [Service] > Type=forking > User=opendkim > Group=postfix > ... > > >
