key data is not secure: <user> is in group <group> which has multiple users ...

[ckristo]

Hi,

I'm running OpenDKIM 2.11.0-Beta2 in a Docker container based on Alpine. After migrating the setup from my physical machine into the Docker container, I got the following error:

mail._domainkey.domain1.net: key data is not secure: opendkim is in group 0 which has multiple users (e.g., "sync")

Checking the key permissions, everything seems fine for me:

/etc/opendkim # ls -l
total 36
-rw-r--r--    1 opendkim opendkim       369 Jun  4 09:34 KeyTable
-rw-r--r--    1 opendkim opendkim       177 Jun  4 09:34 SigningTable
-rw-r--r--    1 opendkim opendkim        86 Jun  4 09:34 TrustedHosts
drwx------    6 opendkim opendkim        86 Jun  4 09:34 keys
-rw-r--r--    1 opendkim opendkim     21919 Jun 25 22:38 opendkim.conf

/etc/opendkim/keys # ls -l
total 0
drwx------    2 opendkim opendkim        42 Jun  4 09:34 domain1.net

/etc/opendkim/keys/domain1.net # ls -la
total 8
drwx------    2 opendkim opendkim        42 Jun  4 09:34 .
drwx------    6 opendkim opendkim        86 Jun  4 09:34 ..
-rw-------    1 opendkim opendkim       887 Jun  4 09:34 mail.private
-rw-------    1 opendkim opendkim       309 Jun  4 09:34 mail.txt

OpenDKIM runs under the user opendkim. Here the relevant parts of passwd and group:

/ # cat /etc/passwd
root:x:0:0:root:/root:/bin/ash
...
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
...
operator:x:11:0:operator:/root:/sbin/nologin
...
opendkim:x:101:102:opendkim:/run/opendkim:/sbin/nologin

/ # cat /etc/group
root:x:0:root
...
opendkim:x:102:opendkim

e6d59cba7235:~$ whoami
opendkim
e6d59cba7235:~$ groups
opendkim

Any ideas what could be wrong here? The strangest thing for me is that the safe key check says my user is in group 0, which it clearly isn't. I checked that all key files are owned by opendkim as well. Maybe the safe key check has a problem? I noticed that in Alpine Linux several users have group 0 assigned which seems to be not the case for other distros.

Any idea what I could miss?

For others having similar issues: I mitigated the problem by setting RequireSafeKeys No in the config for now. However, this should not be used carelessly - key permissions should be correctly set.

Thanks for your support!

Cheers, Chris

[martinbogo]

Chris,

I need some more information about your Docker environment to try to replicate this issue. I tried to do so in my test lab environment and could not reproduce the problem. My environment is:

Host : Debian 10.4 (buster) Stable Docker : 5:19.03.9~3-0~debian-buster

I tried both 2.11-Beta2 and the current release we're working on ( likely 2.12 due to the amount of time that's passed since the last release ) ... you shouldn't have to set "RequireSafeKeys"

If the safe key check has an issue -- you will need to contact your distribution maintainers, or the docker developers as it's not in the domain of the Trusted Domain Project.

-Martin

On Thu, Jun 25, 2020 at 6:01 PM Christoph Kindl notifications@github.com wrote:

Hi,

I'm running OpenDKIM 2.11.0-Beta2 in a Docker container based on Alpine. After migrating the setup from my physical machine into the Docker container, I got the following error:

mail._domainkey.domain1.net: key data is not secure: opendkim is in group 0 which has multiple users (e.g., "sync")

Checking the key permissions, everything seems fine for me:

/etc/opendkim # ls -l total 36 -rw-r--r-- 1 opendkim opendkim 369 Jun 4 09:34 KeyTable -rw-r--r-- 1 opendkim opendkim 177 Jun 4 09:34 SigningTable -rw-r--r-- 1 opendkim opendkim 86 Jun 4 09:34 TrustedHosts drwx------ 6 opendkim opendkim 86 Jun 4 09:34 keys -rw-r--r-- 1 opendkim opendkim 21919 Jun 25 22:38 opendkim.conf

/etc/opendkim/keys # ls -l total 0 drwx------ 2 opendkim opendkim 42 Jun 4 09:34 domain1.net

/etc/opendkim/keys/domain1.net # ls -la total 8 drwx------ 2 opendkim opendkim 42 Jun 4 09:34 . drwx------ 6 opendkim opendkim 86 Jun 4 09:34 .. -rw------- 1 opendkim opendkim 887 Jun 4 09:34 mail.private -rw------- 1 opendkim opendkim 309 Jun 4 09:34 mail.txt

OpenDKIM runs under the user opendkim. Here the relevant parts of passwd and group:

/ # cat /etc/passwd root:x:0:0:root:/root:/bin/ash ... sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt ... operator:x:11:0:operator:/root:/sbin/nologin ... opendkim:x:101:102:opendkim:/run/opendkim:/sbin/nologin

/ # cat /etc/group root:x:0:root ... opendkim:x:102:opendkim

e6d59cba7235:~$ whoami opendkim e6d59cba7235:~$ groups opendkim

Any ideas what could be wrong here? The strangest thing for me is that the safe key check says my user is in group 0, which it clearly isn't. I checked that all key files are owned by opendkim as well. Maybe the safe key check has a problem? I noticed that in Alpine Linux several users have group 0 assigned which seems to be not the case for other distros.

Any idea what I could miss?

For others having similar issues: I mitigated the problem by setting RequireSafeKeys No in the config for now. However, this should not be used carelessly - key permissions should be correctly set.

Thanks for your support!

Cheers, Chris

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenDKIM/issues/83, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB5KKIDKLJVYAQRI3CM2LTRYPJK7ANCNFSM4OIZ4A6A .

[ckristo]

Hi Martin,

Thanks for your support.

• Docker build files are available at https://cloud.ckristo.net/s/wcePzJB2n6xHRmo
• Config file I'm using is available at https://cloud.ckristo.net/s/ASTfi6JykJmea8M
• Docker version: Docker version 19.03.8, build afacb8b7f0 (as delivered Ubuntu 20.04 LTS)
• Docker Compose version: docker-compose version 1.25.0, build unknown (as delivered Ubuntu 20.04 LTS)

I'm using docker-compose to orchestrate all my MX related containers, here the relevant part of the docker-compose.yml file:

version: '2.4'
services:
  opendkim:
    build: build/opendkim
    container_name: mx_opendkim
    init: true
    restart: always
    volumes:
      - ./config/opendkim:/etc/opendkim
    tmpfs:
      - /run/opendkim:uid=100,gid=101
      - /tmp
    logging:
      driver: syslog
      options:
        tag: docker-projects/mx_opendkim
volumes:
networks:
  default:

I quickly checked the source, and there is some logic which checks if a key used for signing is only accessible by the user running OpenDKIM. When looking at my setup, it is a bit strange that the check fails with the message that my opendkim user is in group 0 - it is'nt. A special thing under Alpine seems to be that several users are located in group 0 (root) - I can imagine that this is not the case for other distros (at least under the latest Ubunutu - I checked it there) and therefore this problem might not show up on other distros.

Best regards, Chris

[martinbogo]

I think this is a specific issue with Ubuntu... it's not present in Debian, Fedora / CentOS. Since this likely only affects Ubuntu and we don't officially support Docker ( build files are made downstream ) this one has to be a "wontfix" and should be reported against Docker or the distribution.

[fidoboy]

Well, in fact I'm having an identical message in maillog and I'm using CentOS, so it's not exclusive or specific with Ubuntu.