OpenDkim - Eerror loading Key while opendkim-testkey outputs key OK?

Question

The mail.err has this (I've used FQDN.example.com as a marker for my domain):

Mar 24 19:08:31 FQDN opendkim[17649]: can't load key from /etc/opendkim/keys/FQDN.example.com/mail.private: Permission denied
Mar 24 19:08:31 FQDN opendkim[17649]: D1EBB1204E1: error loading key 'mail._domainkey.FQDN.example.com'

But when I run opendkim-testkey -d FQDN.example.com -s mail -vvvvv I get

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.FQDN.example.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

The reason the key is not secure because I set it to chmod 777 when I thought that the denied permissions had something to do with the file permissions. What is going on here?

Using Debian 10.

score 1 · Answer 1 · answered Apr 30 '21 at 13:44

1

In my case helped this

chown -R opendkim:opendkim /etc/opendkim
chmod 0750 /etc/opendkim/keys
chmod 0600 /etc/opendkim/keys/default.private

answered Apr 30 '21 at 13:44

Ruslan Novikov

111
3

score 0 · Answer 2 · edited Mar 25 '20 at 15:36

0

If its a permission issue, try tighter settings.

chmod 0600

edited Mar 25 '20 at 15:36

roaima

107,089
14
139
261

answered Mar 25 '20 at 04:16

Czar

179
2

1

This `chmod` command is missing some pieces... – Jeff Schaller Apr 30 '21 at 14:26

score 0 · Answer 3 · answered Mar 25 '20 at 15:44

You've got two issues, one brought about by an incorrect attempt at a fix for the other

Mar 24 19:08:31 FQDN opendkim[17649]: can't load key from /etc/opendkim/keys/FQDN.example.com/mail.private: Permission denied

This error is telling you that the account running opendkim cannot read the file mail.private (or one of the intermediate directories).

opendkim-testkey: key not secure

This is telling you that the permissions on this file (or one of the intermediate directories) are too lax.

You need to ensure that the account running opendkim can access the private key, but that no other group or process can do so. Unfortunately I don't run OpenDKIM so I cannot tell you what the correct value should be, but remember permissions are user-group-other, so chmod 0600 mail.private might be acceptable and sufficient if the user running opendkim owned the file.

Also see OpenDKIM errors over on ServerFault.

This is incorrect: ‘key not secure’ indicates only that the public key was fetched without *DNSSEC*. If DNSSEC can be used, the output will be ‘key secure’. But this is unrelated from local private key permissions. — glts, Apr 04 '20 at 12:38
@71GA I don’t think this is well documented … but see the source code of [`opendkim-testkey`](https://github.com/trusteddomainproject/OpenDKIM/blob/2.11.0-Beta2/opendkim/opendkim-testkey.c#L731-L756). — glts, Jan 04 '21 at 14:13

OpenDkim - Eerror loading Key while opendkim-testkey outputs key OK?

3 Answers3