Bug#886441: DKIMproxy does not respect key location

[Erlé DE PILLOT]

Hi all,

Sorry for the long post.
I come back to you with my thoughts on what I think is an issue in the 
dkimproxy package.

In file /etc/default/dkimproxy, it is mentioned:
# If a variable is unset or set to an empty value, the corresponding 
argument will be omitted from

# the dkimproxy command line, and dkimproxy is free to read a value from its
# own configuration file or use its own default value.

Maybe I did it wrong, but I could not manage to unset some variables.
For me, once the dkimproxy daemon script reads the 
/etc/default/dkimproxy file,

if for example the DKIMPROXY_OUT_PRIVKEY is not specified or is set to '',
the dkimproxy will set the location of the key to default:
/var/lib/dkimproxy/private.key
And the script will ignore the /etc/dkimproxy/dkimproxy_out.conf or 
sender_map.

For me, this is an issue.

I think that, if the script /usr/sbin/dkimproxy.out was written with a 
lot of options and the possibility to
specify (in command line options) the selector, the key location, the 
type of signature etc., it is more for trials purpose.
Then for a "normal" use of the dkimproxy.out (run as a daemon), the 
configuration should be set in files:

/etc/dkimproxy/dkimproxy_out.conf or/and sender_map.

So there is not point, at the /etc/init.d/dkimproxy script level, to 
offer some of the options.
We should have there, only the options that are not available in other 
config files.

Such as RUN_DKIMPROXY_OUT, DKIMPROXY_OUT_MIN_SERVERS, user or group.
But options such as DKIMPROXY_OUT_PRIVKEY should not be specified in 
this file, as it will then take
precedence on the /etc/dkimproxy/dkimproxy_out.conf and sender_map 
files, are less flexible

than in the sender_map file and just add confusion.

I have worked on a new version of the dkimproxy daemon script present in 
/etc/init.d/

and the associated config file /etc/default/dkimproxy
For backward compatibility, I have tried to find a solution allowing to 
leave the confusing  'DKIMPROXY_OUT_PRIVKEY '
parameter but it doesn seem possible. So I think this confiusing 
parameter could simply be removed from

the /etc/default/dkimproxy file.
In my daemon script, I have also added the command "service dkimproxy 
status"

Here are my versions of the files; Maybe they will be useful to others:

- /etc/default/dkimproxy:


### Default configuration for dkimproxy.



## The following variables specify configuration to be passed as 
arguments to

## the dkimproxy daemons. If a variable is commented out, the default value
## within the /etc/init.d/dkimproxy script will be used.
## For more details about dkimproxy parameters, please use:
## /usr/sbin/dkimproxy.out --help and
## /usr/sbin/dkimproxy.in  --help
## Variables in Section1 have no risk to conflict with variables specified
## in other config files dkimproxy_in.conf and sender_map.
## Variables in Section2 are now obsolete and will be ignored by the
## /etc/init.d/dkimproxy script.


## SECTION 1

#
## which daemons would be run; anything other than '1' will disable a daemon
## default: 1
RUN_DKIMPROXY_OUT=1
RUN_DKIMPROXY_IN=0

## configuration file to use for dkimproxy.in
## default: "/etc/dkimproxy/dkimproxy_in.conf"
#DKIMPROXY_IN_CONF="/etc/dkimproxy/dkimproxy_in.conf"

## configuration file to use for dkimproxy.out
## default: "/etc/dkimproxy/dkimproxy_out.conf"
#DKIMPROXY_OUT_CONF="/etc/dkimproxy/dkimproxy_out.conf"

## Number of pre-forked process that dkimproxy should keep ready for action.
## The best value for performances is 5 on a single core server. It would
## seem reasonable to add at least one process per core on your server.
## Each process will take about 2MB of RAM, so with a value of 2 for both
## the in and the out daemon, dkimproxy will use 10/12 MB of RAM.
## default: 5
#DKIMPROXY_IN_MIN_SERVERS=5
DKIMPROXY_OUT_MIN_SERVERS=4

## user and group of the dkimproxy daemons
## default user: dkimproxy
## default group: dkimproxy
DKIMPROXYUSER=dkimproxy
DKIMPROXYGROUP=email

## HOSTNAME
## Is used by the DKIM IN PROXY
## hostname for verification "Authentication-Results" header
## Feel free to use hostname -f if that fits you, but then make
## sure that your DNS dkim key entry is setup accordingly with
## something like _domainkey.mx.example.com
## default: `hostname -d`
#DKIM_HOSTNAME=

## DOMAIN
## Is used by the DKIM OUT PROXY
## Specifies the domains to sign for; specify multiple domains separated 
by commas

## This variable is overwriten by domain specified in dkimproxy_out.conf
## or in sender_map files.
## default: `hostname -d` and domains parsed from 

Bug#886441: DKIMproxy does not respect key location

[Erlé DE PILLOT]

Hi,

I am not familiar with Debian packages processes.
I hope this is the right place to report the issue.
I found the issue using the Ubuntu package dkimproxy, I believe 
inherited from Debian.


I agree with Martin Hanson.
For me the dkimproxy daemon script does not work correctly.
It does not take into account the /etc/dkimproxy/dkimpproxy_out.conf 
file and thus does not use the appropriate key location.

This is also what was, to me, reported in bug:
#688986: Init script of Debian package of dkimproxy do not parse/read 
/etc/dkimproxy/dkimproxy_out.conf


The script /usr/sbin/dkimproxy.out works fine but, after some trials, I 
understand that some options should be exclusive or at least, the 
precedence of some options should be more documented.
Then the dkimproxy daemon script (in /etc/init.d/) builds the wrong 
combination of options preventing dkimproxy.out to read the config file 
and to work as expected.
My understanding is that the script /usr/sbin/dkimproxy.out should be 
used either with the --conf_file=FILENAME option

or with options --keyfile=FILENAME, --selector=SELECTOR, etc...
I could not really figure out which options can be combined. I only 
notice that:


/usr/sbin/dkimproxy.out --conf_file=/etc/dkimproxy/dkimproxy_out.conf 
--daemonize


works fine whereas, command generated by the dkimproxy daemon script:

/usr/sbin/dkimproxy.out --domain=somedomain --method=simple 
--conf_file=/etc/dkimproxy/dkimproxy_out.conf 
--keyfile=/var/lib/dkimproxy/private.key --user=dkimproxy --group=email 
--daemonize --pidfile=/var/run/dkimproxy.out --signature=dkim 
--signature=domainkeys --min_servers=5


Does not work for me because the 
--keyfile=/var/lib/dkimproxy/private.key seem to have precedence on the 
key location specified in --conf_file=/etc/dkimproxy/dkimproxy_out.conf


I think that there are too many levels of config files:
- /etc/default/dkimproxy  used by   /etc/init.d/dkimproxy
- /etc/dkimproxy/dkimproxy_out.conf   used by /usr/sbin/dkimproxy.out
- sender_map also used by /usr/sbin/dkimproxy.out
With very confusing combinations of options and overwriting 
possibilities (and currently /etc/default/dkimproxy overwrites the 
dkimproxy_out.conf options...).

Maybe this should be simplified.

Beside this, I think the dkimproxy daemon script need to be reviewed.
I found, for example that the piece of code:

# Get the host domains dynamically. You can change this to the location 
where
# you have your virtual table here, or best: ehance this script to 
support more

# situations with packages others than DTC
HOST_DOMAIN=${DKIM_HOSTNAME}
if [ -n "${DOMAIN}" ] ; then
    if [ -f /var/lib/dtc/etc/local_domains ] ; then
    DTC_DOMAIN=`cat /var/lib/dtc/etc/local_domains | tr \\\r\\\n ,,`
    DTC_DOMAIN=`echo ${DTC_DOMAIN} | grep -v ^${HOST_DOMAIN}`
    else
    DTC_DOMAIN=""
    fi
fi
DOMAIN=${DTC_DOMAIN}${HOST_DOMAIN}

Will never retain the DOMAIN, read in the /etc/default/dkimproxy file 
but always set it to ${DTC_DOMAIN}${HOST_DOMAIN}...
For me, DOMAIN=${DTC_DOMAIN}${HOST_DOMAIN} should be put in an 'else' 
section of 'if [ -n "${DOMAIN}" ] ;
For now I will try to rework this script at least for my own use (I am 
not an sh expert...).

If the result is satisfactory, I will post it in this thread.
Best regards,

    Erlé

Bug#886441: DKIMproxy does not respect key location

[Martin Hanson]

Package: dkimproxy   
Version: 1.4.1-3
Debian Stretch

In /etc/dkimproxy/dkimproxy_out.conf

# specify location of the private key
keyfile   /etc/mail/dkim/private.key

Yet, dkimproxy looks for the key in: /var/lib/dkimproxy/private.key

>From the log:

dkimproxy.out[1166]: signing error: Error: cannot read 
/var/lib/dkimproxy/private.key: Permission denied

I then copied the key from /etc/mail/dkim to /var/lib/dkimproxy and changed the 
permissions and DKIMproxy signs the key.

No matter what I do the "keyfile" option is ignored.

Kind regards