AlternC
AlternC copied to clipboard
AlternC
[BUG] Opendkim doesn't work for domains installed in AlternC
With an AlternC 35-rc (Koumbit repos) installed with the AlternC ansible role, moreover #404 opendkim bug, that can be solved by the proposed workarounds, once this opendkim.conf template fixed, when you install DNS zones managed by AlternC, opendkim outputs a security issue because the private keys are not owned by the user that runs the script (0, root):
root@anacahuita:/etc/opendkim/keys/spip.a.softwarelibre.uy# service opendkim status
● opendkim.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter
Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-07-05 15:53:36 -03; 1h 16min ago
Docs: man:opendkim(8)
man:opendkim.conf(5)
man:opendkim-genkey(8)
man:opendkim-genzone(8)
man:opendkim-testadsp(8)
man:opendkim-testkey
http://www.opendkim.org/docs.html
Process: 21897 ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf (code=exited, status=0/SUCCESS)
Process: 23683 ExecReload=/bin/kill -USR1 $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 21898 (opendkim)
Tasks: 7 (limit: 4697)
Memory: 5.5M
CGroup: /system.slice/opendkim.service
└─21898 /usr/sbin/opendkim -x /etc/opendkim.conf
jul 05 17:05:07 anacahuita opendkim[21898]: alternc._domainkey.spip.a.softwarelibre.uy: key data is not secure: /etc/opendkim/keys/spip.a.softwarelibre.uy/alternc.private is not owned by th
jul 05 17:05:07 anacahuita opendkim[21898]: 5F83A601F4: error loading key 'alternc._domainkey.spip.a.softwarelibre.uy'
jul 05 17:05:19 anacahuita opendkim[21898]: alternc._domainkey.spip.a.softwarelibre.uy: key data is not secure: /etc/opendkim/keys/spip.a.softwarelibre.uy/alternc.private is not owned by th
jul 05 17:05:19 anacahuita opendkim[21898]: 80FA2601F4: error loading key 'alternc._domainkey.spip.a.softwarelibre.uy'
jul 05 17:05:50 anacahuita opendkim[21898]: alternc._domainkey.spip.a.softwarelibre.uy: key data is not secure: /etc/opendkim/keys/spip.a.softwarelibre.uy/alternc.private is not owned by th
jul 05 17:05:50 anacahuita opendkim[21898]: C9EE0601F4: error loading key 'alternc._domainkey.spip.a.softwarelibre.uy'
jul 05 17:08:43 anacahuita opendkim[21898]: alternc._domainkey.spip.a.softwarelibre.uy: key data is not secure: /etc/opendkim/keys/spip.a.softwarelibre.uy/alternc.private is not owned by th
jul 05 17:08:43 anacahuita opendkim[21898]: 8D1E0601F4: error loading key 'alternc._domainkey.spip.a.softwarelibre.uy'
jul 05 17:08:48 anacahuita opendkim[21898]: alternc._domainkey.spip.a.softwarelibre.uy: key data is not secure: /etc/opendkim/keys/spip.a.softwarelibre.uy/alternc.private is not owned by th
jul 05 17:08:48 anacahuita opendkim[21898]: 740F5601F4: error loading key 'alternc._domainkey.spip.a.softwarelibre.uy'
These errors emerge when trying to send an email from the roundcube of AlternC, what fails. We can see the files rights:
root@anacahuita:/etc/opendkim/keys/spip.a.softwarelibre.uy# ls -la
total 16
drwxr-xr-x 2 root root 4096 jul 5 16:37 .
drwxr-xr-x 4 root root 4096 jul 5 16:37 ..
-rw------- 1 opendkim opendkim 1679 jul 5 16:37 alternc.private
-rw------- 1 root root 528 jul 5 16:37 alternc.txt
If I fix the files rights:
root@anacahuita:/etc/opendkim/keys/spip.a.softwarelibre.uy# chown root:root alternc.private
Then I can send the mail wth no problem, and it's DKIM signed.
This is a duplicate issue with #440. As I say in this issue, the best way to fix that is to run opendkim with opendkim user.
This is a duplicate issue with #440. As I say in this issue, the best way to fix that is to run opendkim with opendkim user.
Indeed. Thanks @bleuchtang. It's also a duplicate of #404, for which I'm proposing the PR #474.
Hi
As #404 duplicated issue, I close this We have more information about solution to apply
