View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Frustration with opendkim
Log in to Ask a Question

Frustration with opendkim

Folks:
I have been extremely frustrated with opendkim on Ubuntu 22.04.
I am getting this error that does not seem to make sense:

Oct 16 22:42:55 mail.bellinghamtelevision.com opendkim[1721]: opendkim: /etc/opendkim.conf: opendkim is in group 1000 which has multiple users (e.g., "maallyn")
Oct 16 22:42:55 mail.bellinghamtelevision.com systemd[1]: opendkim.service: Control process exited, code=exited, status=78/CONFIG
Oct 16 22:42:55 mail.bellinghamtelevision.com systemd[1]: opendkim.service: Failed with result 'exit-code'.
Oct 16 22:42:55 mail.bellinghamtelevision.com systemd[1]: Failed to start OpenDKIM Milter.
Oct 16 22:42:55 mail.bellinghamtelevision.com systemd[1]: opendkim.service: Scheduled restart job, restart counter is at 4.
Oct 16 22:42:55 mail.bellinghamtelevision.com systemd[1]: Stopped OpenDKIM Milter.
Oct 16 22:42:55 mail.bellinghamtelevision.com systemd[1]: Starting OpenDKIM Milter…
Oct 16 22:42:55 mail.bellinghamtelevision.com opendkim[1722]: /etc/mail/dkim-keys/bellinghamtelevision.com/default.private: key data is not secure: opendkim is in group 1000 which has multiple users (e.g., "maallyn")

===================================================================

Here is my /etc/passwd file:

root@mail:/etc/mail/dkim-keys/bellinghamtelevision.com# chown root default.private
root@mail:/etc/mail/dkim-keys/bellinghamtelevision.com# systemctl restart opendkim.service
Job for opendkim.service failed because the control process exited with error code.
See "systemctl status opendkim.service" and "journalctl -xeu opendkim.service" for details.
root@mail:/etc/mail/dkim-keys/bellinghamtelevision.com# systemctl restart opendkim.service
Job for opendkim.service failed because the control process exited with error code.
See "systemctl status opendkim.service" and "journalctl -xeu opendkim.service" for details.
root@mail:/etc/mail/dkim-keys/bellinghamtelevision.com# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:102:105::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
syslog:x:104:111::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:113::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:114::/nonexistent:/usr/sbin/nologin
usbmux:x:109:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
landscape:x:112:116::/var/lib/landscape:/usr/sbin/nologin
maallyn:x:1000:1000:Mark Allyn,,,:/home/maallyn:/bin/bash
postfix:x:113:118::/var/spool/postfix:/usr/sbin/nologin
opendkim:x:114:120::/run/opendkim:/usr/sbin/nologin

Here is my /etc/group file:

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-network:x:102:
systemd-resolve:x:103:
crontab:x:104:
messagebus:x:105:
systemd-timesync:x:106:
input:x:107:
sgx:x:108:
kvm:x:109:
render:x:110:
syslog:x:111:
tss:x:112:
uuidd:x:113:
tcpdump:x:114:
_ssh:x:115:
landscape:x:116:
maallyn:x:1000:
ssl-cert:x:117:
postfix:x:118:
postdrop:x:119:
opendkim:x:120:postfix

=======================================================

And here is the directory hierarchy with permissions:

root@mail:/etc/mail# find . -exec ls -ld {} \;
drwxr-xr-x 4 root root 4096 Oct 15 16:08 .
-rw-r--r-- 1 root root 108 Oct 15 16:08 ./dkim.key
drwxr-xr-x 2 root root 4096 Oct 15 16:03 ./m4
-rw-r--r-- 1 root root 103 Aug 5 2021 ./m4/opendkim.m4
drwxr-xr-x 3 opendkim opendkim 4096 Oct 15 16:04 ./dkim-keys
drwxr-xr-x 2 opendkim opendkim 4096 Oct 15 16:48 ./dkim-keys/bellinghamtelevision.com
-rw------- 1 root opendkim 1704 Oct 15 16:35 ./dkim-keys/bellinghamtelevision.com/default.private
-rw------- 1 root root 520 Oct 15 16:35 ./dkim-keys/bellinghamtelevision.com/default.txt

===========================================================

Here is my opendkim configure file:

root@mail:/etc/mail# cat /etc/opendkim.conf

This is a basic configuration for signing and verifying. It can easily be

adapted to suit a basic installation. See opendkim.conf(5) and

/usr/share/doc/opendkim/examples/opendkim.conf.sample for complete

documentation of available configuration parameters.

Syslog yes
SyslogSuccess yes

LogWhy no

Common signing and verification parameters. In Debian, the "From" header is

oversigned, because it is often the identity key used by reputation systems

and thus somewhat security sensitive.

Canonicalization relaxed/simple
Mode sv

SubDomains no

OversignHeaders From

Signing domain, selector, and key (required). For example, perform signing

for domain "example.com" with selector "2020" (2020._domainkey.example.com),

using the private key stored in /etc/dkimkeys/example.private. More granular

setup options can be found in /usr/share/doc/opendkim/README.opendkim.

Domain bellinghamtelevision.com
Selector default
KeyFile /etc/mail/dkim-keys/bellinghamtelevision.com/default.private

In Debian, opendkim runs as user "opendkim". A umask of 007 is required when

using a local socket with MTAs that access the socket as a non-privileged

user (for example, Postfix). You may need to add user "postfix" to group

"opendkim" in that case.

UserID opendkim
UMask 007

Socket for the MTA connection (required). If the MTA is inside a chroot jail,

it must be ensured that the socket is accessible. In Debian, Postfix runs in

a chroot in /var/spool/postfix, therefore a Unix socket would have to be

configured as shown on the last line below.

Socket local:/run/opendkim/opendkim.sock

Socket inet:8891@localhost

Socket inet:8891

Socket local:/var/spool/postfix/opendkim/opendkim.sock

PidFile /run/opendkim/opendkim.pid

Hosts for which to sign rather than verify, default is 127.0.0.1. See the

OPERATION section of opendkim(8) for more information.

InternalHosts 45.79.75.188

The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided

by the package dns-root-data.

TrustAnchorFile /usr/share/dns/root.key

Nameservers 127.0.0.1

========================================================

Thank you
Mark Allyn

4 Replies

I found this note on a similar bug report on SourceForge:

What are the owner/group and permissions of the key file? The error message you're getting is given when the key file has the group read/write bits set (either or both), and the group of the key file contains multiple users.

[Emphasis added]

I guess the moral of the story is to make the permissions of the keyfile -rw-r--r--. IMHO, opendkim is pretty old and pretty brittle.

I recently junked all my milters (opendkim, py-spfmilter & opendmarc) and migrated to rspamd… It looked pretty formidable at first but it was actually quite easy.

-- sw

Thank you! I have never heard of rspamd. Good suggestion! Can I assume that opendkim is on its way to becoming abandonware?

Can I assume that opendkim is on its way to becoming abandonware?

Maybe not that drastic an assumption but it's a very long time between updates…which are usually just bug fixes. Ditto for the other two milters. I submitted a bug fix for py-spfmilter 2 years ago and it still hasn't been integrated…

-- sw

I got the same error but the problem turned out to be that I had key.table in the wrong folder.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct