Menu

#19 testkey says OK but error loading key inside maillog

2.8.2
closed
Murray S. Kucherawy
None
5
2014-02-22
2014-02-12
Zlatan Momic
No

Hi I'm using opendkim 2.9.0 installed from epel via yum on Centos 5.8 with Postfix 2.3.3

I followed Steve's blog post but got errors.
http://stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/

Keys are inside /etc/opendkim/keys/steadyhealth.com
Owner is opendkim and mods are 600:
-rw------- 1 opendkim opendkim 320 Feb 12 08:01 default.txt
-rw------- 1 opendkim opendkim 887 Feb 12 08:01 default

Opendkim service starts fine. But after adding nedded lines to postfix i'm getting errors inside maillog.
This is postfix configuration:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

This is what i got inside /var/log/maillog
Feb 12 05:15:48 opendkim[6830]: default._domainkey.steadyhealth.com: key data is not secure: / can be read or written by other users
Feb 12 05:15:48 opendkim[6830]: DA30A5A0066: error loading key 'default._domainkey.steadyhealth.com'
Feb 12 05:15:48 postfix/cleanup[8163]: DA30A5A0066: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 4.7.1 Service unavailable - try again later; from= to=

Testing the key says OK:
/usr/sbin/opendkim-testkey -d steadyhealth.com -s default -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'default._domainkey.steadyhealth.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

Discussion

  • Murray S. Kucherawy

    Murray S. Kucherawy - 2014-02-12

    opendkim-testkey does not check file permissions. It only confirms that the private and public keys appear to be properly matched.

    opendkim is complaining that, because of permissions on "/", it's possible for some user other than root or itself (i.e., whatever user runs the filter) to read or even change the content of the private key file. My guess is that your "/" directory has the group or other write bit enabled.

     

  • Murray S. Kucherawy

    Murray S. Kucherawy - 2014-02-12
    • status: open --> pending
    • assigned_to: Murray S. Kucherawy
     

  • Zlatan Momic

    Zlatan Momic - 2014-02-13

    Other users could not read/change the private key except owner "opendkim".

    But you are right for "/" directory. This was solution:
    sudo chmod go-w /

    Everything works now, thx

     

  • Zlatan Momic

    Zlatan Momic - 2014-02-13

    Actually I do have problem with authentication from Google

    Authentication-Results: mx.google.com;
    dkim=neutral (bad format) header.i=@steadyhealth.com

     

  • Murray S. Kucherawy

    Murray S. Kucherawy - 2014-02-21

    That's an unrelated problem. Closing this one out. Please open up a new ticket for your validation problems, or open a conversation about it on opendkim-users.

     

  • Murray S. Kucherawy

    Murray S. Kucherawy - 2014-02-21
    • status: pending --> closed
     

  • Zlatan Momic

    Zlatan Momic - 2014-02-22

    Yes, it fixed it self after dns spreading. Thx for help.

     

Log in to post a comment.

MongoDB Logo MongoDB