OpenDKIM : "key not secure"

microlinux · January 18, 2024, 2:43pm

Hi,

I’m currently fiddling with OpenDKIM under Rocky Linux 8. Currently I have OpenDKIM running on a CentOS 7 production server, and things are OK. My setup is documented here in my old archived blog:

I could manage to make this configuration work under Rocky Linux 8. But when I want to test my keys, I get the following result:

# opendkim-testkey -d slackbox.fr -s 01 -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key '01._domainkey.slackbox.fr'
opendkim-testkey: key not secure
opendkim-testkey: key OK

Everything on my Rocky Linux 8 setup is exactly like it was under CentOS 7. Except now I get a key not secure response.

A brief Google search shows me that apparently this is due to the fact that I don’t use DNSSEC on my BIND DNS server.

I tried the setup anyway with my mail server, but unfortunately the online test shows me that DKIM is not working.

Does anybody here have experience with OpenDKIM ? Can you confirm that I now need DNSSEC to make it work ? I bluntly admit I know nothing about DNSSEC, except that I’m vaguely intimidated by it.

Any suggestions ?

iwalker · January 18, 2024, 3:35pm

It’s nothing to do with DNSSEC, I don’t have DNSSEC enabled, and I don’t have this problem.

Most likely it is the permissions on the key. Assuming your key is under /etc/opendkim/keys - then you need to set permissions on it to 600:

chmod 600 /etc/opendkim/keys/mydomain.private

or whatever the name of the file is.

microlinux · January 18, 2024, 4:52pm

I checked, and permissions on the key are already 0600. So the problem must be somewhere else. I’m clueless.

microlinux · January 18, 2024, 5:42pm

I checked some more, and I’m even more puzzled.

There was a problem with Postfix being unable to connect to OpenDKIM under the hood, but I could solve that with the right option in opendkim.conf.

Now DKIM seems to work and (most importantly) when I send a mail to check-auth@verifier.port25.com, the test succeeds and I get a nice DKIM = pass in response.

But still this key not secure warning as an answer to opendkim-testkey.

I’m puzzled.

iwalker · January 18, 2024, 6:05pm

Do you have a line like this in your opendkim.conf?

TrustAnchorFile       /usr/share/dns/root.key

mine is on a Debian system, so the path to this file might be different, as well as the name of this file. This file on my system has permissions 644.

To be honest I never used the test binary on my system, I just sent emails to see if they were signed and if gmail accepted them and verified it.

microlinux · January 18, 2024, 7:14pm

No, this line is not present. I came across this suggestion in another discussion though.

iwalker · January 18, 2024, 7:34pm

Actually that line doesn’t matter as far as I see. I commented it out, restart opendkim service, and ran the test and I don’t get that error. No idea why, but I definitely don’t use DNSSEC.

microlinux · January 18, 2024, 9:51pm

Which version of OpenDKIM do you run, and on what distribution ?

iwalker · January 19, 2024, 7:06am

Opendkim 2.11.0 on Debian 11 Bullseye.

system · March 19, 2024, 7:07am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rocky 9.3 + OpenDKIM + Latest SSSD packages Rocky Linux General rocky-linux-9	12	769	April 8, 2024
[Security] SSH - CVE-2021-41617 Rocky Linux General	4	309	February 8, 2024
Unable to SSH to rocky 9.1 Rocky Linux General	2	1566	August 25, 2023
TLS errors in unbound Rocky Linux General	8	966	August 25, 2023
SELinux message Rocky Linux General	3	538	August 25, 2023

OpenDKIM : "key not secure"

Related Topics