Re: "error loading key" and "key data is not secure", only from time to time...

From: Patrick Proniewski <patpro_at_patpro.net>
Date: Tue, 15 Sep 2015 06:46:57 +0200

On 14 sept. 2015, at 22:14, A. Schulze wrote:

> patpro:
>
>> File permissions are ok (I think):
>>
>> -r--r----- root opendkim /var/db/opendkim/univ-lyon2.fr/201509-490482f6.private
>
>
> opendkim expect *.private to be readable ONLY by the user and NOT by any other group.
> Make the key readable for the group in your case does not enforce no other uid may read the key.
> so the key permissions are "insecure"
>
> -> chown opendkim:root *.private
> -> chmod 0400 *.private

Thanks for this info, Andreas. Nevertheless I'm a bit surprised:

- majority of messages get signed anyway, leaving only 0.25% messages not signed
- I've got another server, same exact settings, but running opendkim-2.9.2_6: no errors at all

I'll change permissions and let you know if it fixes my problem!

While I"m here: during my testings to find out what was wrong, I've used truss on the running opendkim process, and I was quite surprised to discover it stats /etc/nsswitch at a fast rate (more that 100 times per seconds). Is that expected?


regards,
pat
Received on Tue Sep 15 2015 - 04:47:12 PST