bug report: Rspamd DKIM private key permissions warning on startup about docker-mailserver HOT 11 CLOSED

I see. This may be a weird bug on our side that only surfaces during the update; I don't really know. I will close this for now; please let me know when it pops back up.

from docker-mailserver.

@georglauterbach

<filename>= mydomain.zone

i.e. the whole domain part is the following:

domain {
    mydomain.zone {
        path = "/tmp/docker-mailserver/rspamd/dkim/mydomain.zone.private";
        selector = "dkim1";
    }
}

from docker-mailserver.

override.d/dkim_signing.conf is the same as above, just with two domains.

I cannot reproduce the error (with/without LOG_LEVEL=trace). To me it seems like a one-time error. chmod 644 wasn't really necessary.

In a backup from before the upgrade to 14.0.0 the files were owned by 113:115. After the update they are owned by 111:114 (_rspamd:_rspamd). I guess this change of ownership was done after the script complained about wrong rights during first start of 14.0.0.

from docker-mailserver.

@georglauterbach

root@mail:/# ls -lha /tmp/docker-mailserver/rspamd/dkim
total 8.0K
drwxr-xr-x. 2 _rspamd _rspamd   56 Apr 20  2023 .
drwxr-xr-x. 3 redis   _rspamd   46 Apr  4 12:25 ..
-rw-r-----. 1 _rspamd _rspamd 1.7K Apr 20  2023 mydomain.zone.private
-rw-r--r--. 1 _rspamd _rspamd  452 Apr 20  2023 mydomain.zone.txt

root@mail:/# ls -nh /tmp/docker-mailserver/rspamd/dkim/mydomain.zone.private
-rw-r-----. 1 111 114 1.7K Apr 20  2023 /tmp/docker-mailserver/rspamd/dkim/mydomain.zone.private

I suppose to agree with @some-user123 regarding one-time error, the warning is gone after I restarted the DMS with
docker-compose down && docker-compose up -d

from docker-mailserver.

Please note that this response was created using generative AI, leveraging previously available information from the repository. This information may be helpful. However, it is our strong recommendation that you carefully consider the information before blindly applying it.

This response is generated only once - you will not be able to interact with the glime-ai.

It seems like you are encountering a permissions issue with the Rspamd DKIM private key file after upgrading to version 14.0.0. This issue was previously addressed in PR #3669, but it appears to have resurfaced.

To help resolve this, please check the following:

1. File Ownership and Permissions: Ensure that the DKIM private key file has the correct ownership and permissions. The file should be owned by the _rspamd user and group, and should not be world-readable. You can set the correct permissions using the following commands:

   chown _rspamd:_rspamd /tmp/docker-mailserver/rspamd/dkim/<filename>.private
   chmod 600 /tmp/docker-mailserver/rspamd/dkim/<filename>.private

2. Configuration Changes: Verify if there have been any changes in the configuration files that might affect the permissions or ownership settings.

3. Logs: Check the logs for any additional error messages that might provide more context on the issue.

If the issue persists, please provide more details about your configuration and any relevant log output to help diagnose the problem further.

This comment was generated by Glime.

from docker-mailserver.

(Rspamd setup) Rspamd DKIM private key file '/tmp/docker-mailserver/rspamd/dkim/.private' does not appear to have correct permissions/ownership for Rspamd to use it

This seems to indicate the setup procedure may have parsed the configuration wrong. Please post the contents of /etc/rspamd/local.d/dkim_signing.conf or /etc/rspamd/local.d/dkim_signing.conf, or both if you have both.

from docker-mailserver.

@georglauterbach I only have this config (and it wasn't changed on DMS update):

root@mail:/# cat  /etc/rspamd/override.d/dkim_signing.conf
# documentation: https://rspamd.com/doc/modules/dkim_signing.html

enabled = true;

sign_authenticated = true;
sign_local = true;

use_domain = "header";
use_redis = false; # don't change unless Redis also provides the DKIM keys
use_esld = true;
check_pubkey = true;

domain {
    mydomain.zone {
        path = "/tmp/docker-mailserver/rspamd/dkim/<filename>.private";
        selector = "dkim1";
    }
}

from docker-mailserver.

You seem to have anonymised <filename>; this was not only not necessary (it is not security-related information), I actually need to know exactly this line for my investigation. Hence, please tell me what <filename> really is.

from docker-mailserver.

Thanks! I will check the logic later and report back.

from docker-mailserver.

I'm experiencing the same issue (also no local.d, but only override.d/dkim_signing.conf.

For me it helped as a workaround to set permissions of *.private.txt to 644 instead of 640.

from docker-mailserver.

Our script should be parsing this file correctly. Can you use LOG_LEVEL=trace and provide the Rspamd-related log? I am looking for a line that reads Checking DKIM file '<FILE>'.

Please also check whether a hidden file exists in /tmp/docker-mailserver/rspamd/dkim by running ls -lha /tmp/docker-mailserver/rspamd/dkim.

Please also post the output of ls -lh /tmp/docker-mailserver/rspamd/dkim/mydomain.zone.private.

@some-user123 please also provide your full override.d/dkim_signing.conf and the output of ls -lh <PATH TO YOUR PRIVATE KEY FILE>.

from docker-mailserver.