OpenDKIM Failed to start

SYSTEM INFORMATION
OS type and version CentOS 7.9.2009
Webmin version 1.990
Virtualmin version 6.17
opendkim version 2.11.0-0.1.el7

For some reason opendkim will not start. We have always tried to limit changes to our system and if any are made we make them by way of the Virtaulmin web interface. So when we installed DKIM, it was done with Virtalmin → Email Settings → DomainKeys Identified Mail. However, when we try to start the service it fails with the following:

Apr 05 11:25:59 server2.com systemd[1]: Starting DomainKeys Identified Mail (DKIM) Milter...
-- Subject: Unit opendkim.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit opendkim.service has begun starting up.
Apr 05 11:25:59 server2.com opendkim[19855]: /etc/opendkim/keys/default.private: key data is not secure: / is writeable and owned by uid 500 which is not the executing uid (499) or the superuser
Apr 05 11:25:59 server2.com opendkim[19855]: opendkim: /etc/opendkim.conf: / is writeable and owned by uid 500 which is not the executing uid (499) or the superuser
Apr 05 11:25:59 server2.com systemd[1]: opendkim.service: control process exited, code=exited status=78
Apr 05 11:25:59 server2.com systemd[1]: Failed to start DomainKeys Identified Mail (DKIM) Milter.
-- Subject: Unit opendkim.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit opendkim.service has failed.
--
-- The result is failed.
Apr 05 11:25:59 server2.com systemd[1]: Unit opendkim.service entered failed state.
Apr 05 11:25:59 server2.com systemd[1]: opendkim.service failed.

server2.com” is just a filler for our actual server name. When looking at the error, it appears that it is a rights issue. When we check the ownership:

[root@server2 log]# ls -lnd /etc/opendkim
drwxr-xr-x 3 499 498 4096 Apr  5 10:02 /etc/opendkim

IDs 499 and 498 are the actual user and group numbers for opendkim. So, why is the service wanting to execute as a different (500) user? The 500 user:group is a user account in one of the virtual domains on the system. We tried removing opendkim with yum and then reinstalling using Virtualmin bit still have the same result. We do have another server that runs opendkim just fine and we see no differences in configurations.

Any help would be greatly appreciated.

Not sure some older info i have but don’t folow it blinly, backups en reading about it have not time to check if those are OK!!

For if you have done DKIM yourself before , there was a time it wasn’t all of it in virtualmin itself i think

ssue status update for:
https://www.virtualmin.com/node/68336

#4 – Mon, 02/03/2020 - 17:54 : fra93ita
https://www.virtualmin.com/node/68336#comment-822357
Actually i’ve setted up both (default and .conf) via tcp port, just i don’t
care doin’ it with socket file, when i’ll have time, i’ll test again via
socket file

. Change in /etc/opendkim.conf

Socket inet:8891@127.0.0.1

  1. Change in /etc/default/opendkim

SOCKET="inet:8891@127.0.0.1"

  1. Change in /lib/systemd/system/opendkim.service

ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p inet:8891@127.0.0.1

And if used the dkim milter port in firewall

And the user / group rights and owners
/etc/opendkim/keys/default.private: key data is not secure:

opendkim - Debian Wiki i konw is debian but info’s

DKIM needs Virtualmin’s DNS, or used to. You have not disabled it, I suppose?

I actually do not use Virtualmin’s DNS, but when making a save to the DKIM settings in Virtualmin, it is updating the Virtualmin DNS. I’ve even started the DNS back up and attempted to make changes and to try and start DKIM, no change, same error.

Not sure if this is the best solution but I was able to get opendkim to start following the link you provided.

# grep RequireSafeKeys /etc/opendkim.conf
RequireSafeKeys         false

Will run the tests now to see if everything starts to verify correctly.

Is not the best, but if it works give some time to find better.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.