On 09/03/2017 07:43 AM, Wietse Venema wrote:
> Tom Browder:
>> The docs mention not to use root or postfix for the "-u UID" option. Then
>> what user should it be? Is a new user to be created for that purpose?
>> Should that same user own the /var/db/dkim directory and files?
>
> All my opendkim FILES are owned by root, in directories owned by
> root, and those files/directories are writable only by root. Note
> that opendkim reads the secret key before dropping root privileges.
>
I just did some experiments with this. If you're using a KeyTable and
SigningTable, it looks like OpenDKIM will read those as root, but not
all of the secret keys.
(The rest is quite skippable if you're not interested in such a setup.)
If your OpenDKIM user is named "opendkim" and is a member of the
"opendkim" group, then the obvious way to deal with that is to make your
keys (and the directories they're contained in) read-only to the
"opendkim" group. So far so good.
But now what if you want to use a local UNIX socket to talk to OpenDKIM?
Postfix needs to be able to write to it. On most systems, the socket
will be created as opendkim:opendkim, and if you add the "postfix" user
to the "opendkim" group, then
1. that's more access than postfix should have to your keys, and
2. the OpenDKIM daemon will complain to the effect of #1.
So to share a socket, you need another group. I created a new group
called "milter", and added both the "postfix" and "opendkim" users to
it. Here I tried to tell OpenDKIM to run as "opendkim:milter", but that
doesn't work because when you specify one particular group, it omits all
of that user's other groups -- including the "opendkim" group that you
need to read your keys!
Fortunately, you can tell the system to use "milter" as the primary
group for the "opendkim" user. Just swap the two with,
$ usermod -g milter opendkim
$ usermod -a -G milter opendkim
Now if OpenDKIM is running as user "opendkim", it will create the socket
with that user's primary group "milter", but still be able to access
your keys via the secondary group "opendkim".
To summarize,
* OpenDKIM runs as UserID "opendkim", an otherwise-unused user.
* all OpenDKIM files owned by "root"
* key table and signing table are group "root"
* secret keys are group "opendkim" and group-read-only
* socket needs to belong to a third group containing "opendkim"
and "postfix"
* you need to make that third group the primary group of "opendkim"
so that the socket gets created with the correct group
