Bug#1021183: opendkim: Opendkim complaining insecure keys by assumption

Mon, 03 Oct 2022 10:03:22 -0700 

Hello David,

thanks for the quick response. After comparing your configuration to mine, I 
resolved the issue by trading possible security implications. See below.


Am 03.10.2022 um 15:15 schrieb David Bürgin <[email protected]>:

> Can you include the steps to reproduce this? I don’t see this behaviour on my 
> installation (opendkim 2.11.0~beta2-5).

Will try to do so.

> Some of my configuration bits below:
> 
> $ grep -i -e keyfile -e userid -e umask -e socket -e requiresafekeys 
> /etc/opendkim.conf
> KeyFile                 /etc/dkimkeys/2020.private
> UserID                  opendkim
> UMask                   007
> Socket                  local:/var/spool/postfix/opendkim/opendkim.sock

Mine is here.

UMask                   002
Socket                  local:/var/run/opendkim/opendkim.sock
RequireSafeKeys         no
UserID                  opendkim

> $ sudo ls -ld /etc/dkimkeys{,/2020.private}
> drwx------ 2 opendkim opendkim 4096 Aug 25  2021 /etc/dkimkeys
> -rw------- 1 opendkim opendkim 1679 Nov 20  2020 /etc/dkimkeys/2020.private

I do have multiple domains configured and thus use /etc/opendkim/domainname as 
base directory for keyfiles. Those belong to root:opendkim and are mode 2755.

-rw-r----- 1 root opendkim 887 Oct 26  2015 
/etc/opendkim/pocnet.net/m201510.private
-rw-r--r-- 1 root opendkim 323 Oct 26  2015 /etc/opendkim/pocnet.net/m201510.txt

> $ sudo ls -ld /var/spool/postfix/opendkim{,/opendkim.sock}
> drwxr-x--- 2 opendkim opendkim 27 Sep 29 16:32 /var/spool/postfix/opendkim
> srwxrwx--- 1 opendkim opendkim  0 Sep 29 16:32 
> /var/spool/postfix/opendkim/opendkim.sock

-rw-r--r-- 1 root     root     7 Oct  3 14:18 /var/run/opendkim/opendkim.pid
srwxrwxr-x 1 opendkim opendkim 0 Oct  3 14:18 /var/run/opendkim/opendkim.sock

> $ groups postfix | grep -o opendkim
> opendkim

# groups postfix | grep -o opendkim
opendkim


When I've configured opendkim for the first time, I tried to keep the key files 
belonging to root, so they couldn't be changed from opendkim itself — lessen 
attack surface.

After chown opendkim, and chmod 400 to the private key files, the warning 
message is — to be expected — gone, because there is no group access granted 
anymore. But there is a small — probably mostly theoretical — decrease in 
security, because key files now belong to the opendkim user, and a missing 
write bit can be overridden on owner match — having done this sometimes with vi 
and text files.

What's your opinion on that?

Thanks!

:wq! PoC

Reply via email to