Of course, it can't actually b this simple. None of this applies if you use a KeyTable:
Thus, keys referenced by the KeyTable must always be accessible for read by the unprivileged user. Those keys are read at first use, not when the daemon starts up. *sigh. I knew there was something I was forgetting. -- Harald On 3 September 2017 at 12:15, Harald Koch <c...@pobox.com> wrote: > haha I was going to mention the Arch Wiki - it also gives misleading > advice. Their improved setup has private keys owned by (and writable by!) > the same user that the daemon runs as. Hacked daemon -> private key > compromise. > > The default service file installed by the Arch package runs as root, btw, > and drops privileges if you specify a "UserID" in the config file. > > -- > Harald > > > On 3 September 2017 at 12:08, pgndev <pgnet....@gmail.com> wrote: > >> fwiw, from Arch wiki >> >> https://wiki.archlinux.org/index.php/OpenDKIM >> "The OpenDKIM daemon does not need to run as root at all (the >> configuration suggested earlier will have OpenDKIM drop root privileges by >> itself, but systemd can do this too and much earlier)." >> >> cat /etc/systemd/system/opendkim.service >> ... >> [Service] >> Type=forking >> User=opendkim >> Group=postfix >> ... >> >> >> >