Package: opendkim Version: 2.11.0~beta2-4 Severity: normal Each and every time, Opendkim wakes up by work from Postfix, it creates a log entry:
key data is not secure: <filename>.private is in group 133 which has multiple users (e.g., "postfix") This issue has been existing since 2015 (when I added DKIM to my mailflow) and the according Debian release. Opendkim has its own group and for proper access rights from postfix, added postfix to the opendkim group. If I don't set this, I get Oct 3 14:17:33 myhost postfix/smtpd[123464]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied Setting RequireSafeKeys to "no" not prevent the message from appearing, but just prevents Opendkim from exiting because of this condition. I think that group rights should not trigger this behavior, but instead only when "other" is allowed to read the private key. -- System Information: Debian Release: 11.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-18-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/bash Init: sysvinit (via /sbin/init) Versions of packages opendkim depends on: ii adduser 3.118 ii dns-root-data 2021011101 ii init-system-helpers 1.60 ii libbsd0 0.11.3-1 ii libc6 2.31-13+deb11u4 ii libdb5.3 5.3.28+dfsg1-0.8 ii libldap-2.4-2 2.4.57+dfsg-3+deb11u1 ii liblua5.1-0 5.1.5-8.1+b3 ii libmemcached11 1.0.18-4.2 ii libmilter1.0.1 8.15.2-22 ii libopendbx1 1.4.6-15 ii libopendkim11 2.11.0~beta2-4 ii librbl1 2.11.0~beta2-4 ii libssl1.1 1.1.1n-0+deb11u3 ii libunbound8 1.13.1-1 ii libvbr2 2.11.0~beta2-4 ii lsb-base 11.1.0 Versions of packages opendkim recommends: ii opendkim-tools 2.11.0~beta2-4 opendkim suggests no packages. -- Configuration Files: /etc/dkimkeys/README.PrivateKeys [Errno 13] Permission denied: '/etc/dkimkeys/README.PrivateKeys' /etc/opendkim.conf changed [not included] -- no debconf information
