From nobody Wed Jul 10 23:05:10 2024 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WKD3R5MRFz5RKtD for ; Wed, 10 Jul 2024 23:05:23 +0000 (UTC) (envelope-from mail@souji-thenria.net) Received: from alisa.souji-thenria.net (alisa.souji-thenria.net [188.68.37.165]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WKD3R1Wqbz4QJ9 for ; Wed, 10 Jul 2024 23:05:22 +0000 (UTC) (envelope-from mail@souji-thenria.net) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=souji-thenria.net; s=20231116; t=1720652713; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=tEdMvuJ55xq1IYVYef68/Z7bIz8id6pY/3spMOMHXl8=; b=ecVlrpNVCh59yKlb4mP6so+QvmmFT4k8GOb/k9Yy5JdZn/gx2LgD4sW1OLsuzGxtQ6mA85 SQ1+11g1OUqcFJZPK8BMXo/lhRLn1VaguscQml36+ufFG9XpKPvMYqAV5DKqKIiBVzHfeb qOHk+LypeArVVu42uy2rE41AKe3fCTXS4xXtLarMAyAZq+CknG7D3itw1g5nv3zjVa51qQ fYdWmm5bkjM/7OqTjAQah5uT+Oze95l5PSziz5rWpon99TwLSN0DnpERalR1Axzx3Tj7iZ Rjy4YVPJM6L5Bkc8JoCr8akss7fDm4qCK+Zly4GvqTihjeA3yWFEHbji1/Yyj6dF8Q4BY0 Uagcs8WC9eprvL6RhpLrDBdpPFloPLN67cztLj1CPYxeT5U6Gv6R46C/g52hm+HZ9yHGi7 YQTBKya6GQ+x+duKV14VYBzb/vl0/rAqmccM4AzkSk1Xsp71fuzzDqrYgjjfojCy3RgEb1 vvvAS8Th7T1Rxpot8jMRMTVA0FZAtJCKVSYqTJMREDjKS8iJBmlgfBRlvXtKhvk4UTSMRT +d6MKBYmUCjj8C+a08b6w5xiuRCqbNrUfO7XKgyWKUpCGEKDHRjuKygxkc4pUY+UoBzVgL IlcGTvhKa5Kj6CvfcGKhcZqnvSkmI+srQemC7iCIhtYvWWjQbPtcM= Received: by alisa.souji-thenria.net (OpenSMTPD) with ESMTPSA id 5f35c866 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 11 Jul 2024 01:05:11 +0200 (CEST) Content-Type: multipart/signed; boundary=9b31c8bf45dae9d9c720be74bdc05bd0b8e265a550113e8279c2e8563429; micalg=pgp-sha512; protocol="application/pgp-signature" Date: Thu, 11 Jul 2024 00:05:10 +0100 Message-Id: Subject: Re: Strange OpenDKIM error From: "Souji Thenria" To: "D'Arcy Cain" , List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org Mime-Version: 1.0 X-Mailer: aerc 0.17.0 References: <8af87a11-7835-4cbe-8949-0920b8824d70@druid.net> In-Reply-To: <8af87a11-7835-4cbe-8949-0920b8824d70@druid.net> X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:197540, ipnet:188.68.32.0/20, country:DE] X-Rspamd-Queue-Id: 4WKD3R1Wqbz4QJ9 --9b31c8bf45dae9d9c720be74bdc05bd0b8e265a550113e8279c2e8563429 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8; format=Flowed On Wed Jul 10, 2024 at 9:34 PM BST, D'Arcy Cain wrote: > Not sure what changed here but suddenly OpenDKIM won't read my key=20 > files. The error is: > > key data is not secure: opendkim is in group 0 which has multiple=20 > users (e.g., "darcy") > > Of course I am in the wheel group or else I couldn't become root. What= =20 > I don't understand is, why does it think that opendkim is in group 0. > > # id opendkim > uid=3D104(opendkim) gid=3D104(opendkim) groups=3D104(opendkim) > > I upgraded from 14.0 to 14.1 but that was about a week ago. I upgraded= =20 > to newly built packages around the same time. This only started today=20 > at 13:42:26. > > I have turned off DKIM signing for now but obviously I can't leave it=20 > that way. Too many places reject unsigned emails. Can anyone help me=20 > debug this issue? > > Cheers. Hey, Taking a look into the source code, it looks like OpenDKIM fails at a section titled: /* group write needs to be super-user or me only */ Further down are two checks with the comments: /* check if anyone else has this file's gid */ /* check if this group contains anyone else */ Based on this, maybe the group of your key file is wheel, and since you are also in this group, it fails. So, if you change the group of the file to opendkim, it might work. Regards, Souji --=20 Souji Thenria Website: www.souji-thenria.net --9b31c8bf45dae9d9c720be74bdc05bd0b8e265a550113e8279c2e8563429 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSG4/SRE6pqved9MLdAFYmA9YTsaAUCZo8TpwAKCRBAFYmA9YTs aBBpAQCN3HHbeRNhf0UzBbsahWw7zndzOQjEKDUdQhG5Fg2l7gD/SPYXyZZTL5XQ k4x4JVx+OXRPOU0CSl2CREeGNFatNQQ= =QPSA -----END PGP SIGNATURE----- --9b31c8bf45dae9d9c720be74bdc05bd0b8e265a550113e8279c2e8563429--