On Mar 7, 2014, at 5:56 AM, Murray S. Kucherawy <msk_at_blackops.org> wrote:
> On Wed, 5 Mar 2014, Cole Tierney wrote:
>> Starting OpenDKIM: opendkim: /etc/opendkim.conf: /etc/mail is writeable and owned by uid 107 which is not the executing uid (111) or the superuser opendkim.
>>
>> ls -ld /etc/mail
>> drwxr-sr-x 7 smmta smmsp 4096 Feb 20 14:02 /etc/mail
>>
>> id smmta
>> uid=107(smmta) gid=112(smmta) groups=112(smmta),45(sasl)
>>
>> id opendkim
>> uid=111(opendkim) gid=117(opendkim) groups=117(opendkim)
>
> This means opendkim (111) is relying on the security of keys stored in a directory where a user other than itself and root (namely smmta, uid 107) could replace the keys.
>
> Could smmta run the filter, perhaps? Or could the keys live somewhere other than /etc/mail?
Thanks for your reply. I ending up doing the later and putting my keys in /etc/opendkim. The error message then changed to a complaint about the key not being owned by openkdim. I changed ownership to openkdim:openkdim, then everything worked. I repeated these steps on another server and put them in a gist for future reference:
https://gist.github.com/putnamhill/0fe3fcd5a6543dc2214b
Received on Fri Mar 07 2014 - 15:46:40 PST