mailinabox "Key Data is Not Secure" log message from OpenDKIM

message repeated 71 times: [ XXX.com: key data is not secure: /home/user-data is writeable and owned by uid 1000 which is not the executing uid (110) or the superuser]

Any hints?

Aug 02 '14 20:08 Futurama56

OpenDKIM is the only program complaining about this. I was planning on ignoring it. The threat model for this project assumes all local users are privileged, so it's not really a problem.

Aug 02 '14 20:08 JoshData

It would be nice to have a solution, as 71 times will soon become 700,000!

Aug 03 '14 00:08 Futurama56

Do you have RequireSafeKeys false in /etc/opendkim.conf?

Aug 16 '14 16:08 JoshData

This warning is still there. I checked /etc/opendkim.conf and RequireSafeKeys is set to false.

Jun 10 '15 11:06 CGeorges

@JoshData is right. Tested on Debian 7 it works perfectly

Aug 07 '15 14:08 boussou

Same warning here in 2019, latest stable release. And:

grep RequireSafeKeys /etc/opendkim.conf RequireSafeKeys false

May 10 '19 15:05 alpha-and-omega

Same error here almost a month later...

# grep RequireSafeKeys /etc/opendkim.conf
RequireSafeKeys         false

Latest release according to the status checks.

Jun 04 '19 10:06 andyjeffries

Same here. I would like this issue reopened.

Jul 22 '19 19:07 ringe

Do you just need to change a permission somewhere to make this go away?

Mar 17 '20 14:03 CholoTook

I was wondering about simply changing /home/user-data to be owned by opendkim?

Jun 03 '20 09:06 CholoTook

zgrep -c "key data is not secure" /var/log/mail.log*
/var/log/mail.log:984
/var/log/mail.log.1:1769
/var/log/mail.log.2.gz:2357
/var/log/mail.log.3.gz:1811
/var/log/mail.log.4.gz:2397

and

grep RequireSafeKeys /etc/opendkim.conf
RequireSafeKeys         false

Jun 03 '20 09:06 CholoTook

@CholoTook

Making /home/user-data owned by opendkim means you are effectively putting nearly all of your security into the hands of the OpenDKIM project.

Jun 03 '20 12:06 myfirstnameispaul

Is that good?

On Wed, 3 Jun 2020 at 13:24, Paul [email protected] wrote:

@CholoTook https://github.com/CholoTook

Making /home/user-data owned by opendkim means you are effectively putting nearly all of your security into the hands of the OpenDKIM project.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mail-in-a-box/mailinabox/issues/125#issuecomment-638162607, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANKSZTXJVZXNJCEE3DHO7Q3RUY6IHANCNFSM4ASOBJJA .

Jun 03 '20 13:06 CholoTook

@CholoTook Not at all.

Jan 04 '21 12:01 71GA

sudo chmod 600 /etc/opendkim/mail.private

worked for me

Oct 03 '22 15:10 juank-R

I'd also like to see this message silenced when RequireSafeKeys false. I have a use case where another user with very low privileges needs to be able to write keys for OpenDKIM, for security reasons I can't publicly discuss. So it would be nice if it didn't complain about it all the time, since I already explicitly told it that was okay with RequireSafeKeys false.

EDIT: Missing word

Sep 11 '23 15:09 KyleMaas

is there a fix for this?

opendkim-testkey: key not secure
opendkim-testkey: key OK

the folder and file permissions are set to:

ls -al /etc/opendkim/ drwx------. 3 opendkim opendkim 4096 Mar 14 00:35 keys

ls -al /etc/opendkim/keys drwx------. 2 opendkim opendkim 4096 Apr 15 19:08 mydomain.tld

ls -al /etc/opendkim/keys/mydomain.tld -rw-------. 1 root root 1704 Apr 15 19:08 20240101.private

Apr 15 '24 17:04 frankofno

@frankofno if you chown the 20240101.private key to belong to opendkim:opendkim it should be fine.

Jun 23 '25 07:06 createyourpersonalaccount