On 05 oct. 2015, at 06:56, Murray S. Kucherawy wrote:
> On Mon, 14 Sep 2015, patpro_at_patpro.net wrote:
>> Sep 14 13:06:14 ru opendkim[16344]: signall: key data is not secure: /var/db/opendkim/univ-lyon2.fr/201509-490482f6.private is in group 1003 which has multiple users (e.g., "opendkim")
>>
>> This error has occurred about 60 times in 3 days. That's about 0.25%. Very odd.
>>
>> File permissions are ok (I think):
>>
>> -r--r----- root opendkim /var/db/opendkim/univ-lyon2.fr/201509-490482f6.private
>> drwxr-x--- root opendkim /var/db/opendkim/univ-lyon2.fr
>> drwxr-x--- root opendkim /var/db/opendkim
>> drwxr-xr-x root wheel /var/db
>> drwxr-xr-x root wheel /var
>> drwxr-xr-x root wheel /
>>
>> # id opendkim
>> uid=31986(opendkim) gid=6(mail) groups=6(mail),1003(opendkim)
>>
>> # grep opendkim /etc/group
>> opendkim:*:1003:opendkim
>>
>> I'm running opendkim-2.10.3 on FreeBSD 10.1-RELEASE
>>
>> Any hint?
>
> I'm guessing the executing user is root, not opendkim. The issue then is that the opendkim account is the risk; if it gets hacked, that process can sign things as your domain because it can read the key.
>
> Try running it as opendkim instead (assuming my guess is right).
nope, opendkimd runs as opendkim user.
As stated in my last email on sept. the 15th, everything is ok now:
http://lists.opendkim.org/archive/opendkim/users/2015/09/3554.html
regards,
pat
Received on Mon Oct 05 2015 - 05:06:45 PST