Re: "error loading key" and "key data is not secure", only from time to time...

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Sun, 4 Oct 2015 21:56:13 -0700 (PDT)

On Mon, 14 Sep 2015, patpro_at_patpro.net wrote:
> Sep 14 13:06:14 ru opendkim[16344]: signall: key data is not secure: /var/db/opendkim/univ-lyon2.fr/201509-490482f6.private is in group 1003 which has multiple users (e.g., "opendkim")
>
> This error has occurred about 60 times in 3 days. That's about 0.25%.
> Very odd.
>
> File permissions are ok (I think):
>
> -r--r----- root opendkim /var/db/opendkim/univ-lyon2.fr/201509-490482f6.private
> drwxr-x--- root opendkim /var/db/opendkim/univ-lyon2.fr
> drwxr-x--- root opendkim /var/db/opendkim
> drwxr-xr-x root wheel /var/db
> drwxr-xr-x root wheel /var
> drwxr-xr-x root wheel /
>
> # id opendkim
> uid=31986(opendkim) gid=6(mail) groups=6(mail),1003(opendkim)
>
> # grep opendkim /etc/group
> opendkim:*:1003:opendkim
>
> I'm running opendkim-2.10.3 on FreeBSD 10.1-RELEASE
>
> Any hint?

I'm guessing the executing user is root, not opendkim. The issue then is
that the opendkim account is the risk; if it gets hacked, that process can
sign things as your domain because it can read the key.

Try running it as opendkim instead (assuming my guess is right).

-MSK
Received on Mon Oct 05 2015 - 04:56:32 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 05 2015 - 05:00:00 PST