dkim issue after last update

[davordragic]

I'm using latest docker image, dkim sign worked fine for last 6-7 months, but with latest docker image (recreated) it stopped working.

I did dry to use previus versions, but no luck. Still same issue (docker logs):

xxx-postfix-1 | DNS records:
xxx-postfix-1 | vps._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; p=xxx" )
xxx-postfix-1 | Starting OpenDKIM: opendkim.
xxx-postfix-1 | Starting Postfix Mail Transport Agent: postfix.
xxx-postfix-1 | 2023-09-01T16:49:24.562639+00:00 55c29361f16a rsyslogd: [origin software="rsyslogd" swVersion="8.1901.0" x-pid="147" x-info="https://www.rsyslog.com"] start
xxx-postfix-1 | 2023-09-01T16:49:24.563632+00:00 55c29361f16a postfix/master[145]: daemon started -- version 3.4.23, configuration /etc/postfix
xxx-postfix-1 | 2023-09-01T16:49:32.484746+00:00 55c29361f16a postfix/smtpd[152]: connect from xxx_default[172.0.0.5]
xxx-postfix-1 | 2023-09-01T16:49:32.495255+00:00 55c29361f16a postfix/smtpd[152]: 78E23E0137: client=xxx-1.xxx[172.0.0.5]
xxx-postfix-1 | 2023-09-01T16:49:32.496170+00:00 55c29361f16a postfix/cleanup[155]: 78E23E0137: message-id=[email protected]
xxx-postfix-1 | 2023-09-01T16:49:32.537913+00:00 55c29361f16a opendkim[33]: vps._domainkey.xxx: key data is not secure: /etc/opendkim/keys/xxx/vps.private
xxx-postfix-1 | 2023-09-01T16:49:32.537923+00:00 55c29361f16a opendkim[33]: 78E23E0137: error loading key 'vps._domainkey.xxx'
xxx-postfix-1 | 2023-09-01T16:49:32.537963+00:00 55c29361f16a postfix/cleanup[155]: 78E23E0137: milter-reject: END-OF-MESSAGE from xxx-1.xxx[172.0.0.5]: 4.7.1 Service unavailable - try again later; from=develop@xxx to=[email protected] proto=ESMTP helo=<dev.xxx>
xxx-postfix-1 | 2023-09-01T16:49:32.600292+00:00 55c29361f16a postfix/smtpd[152]: disconnect from xxx-1.xxx[172.0.0.5] ehlo=1 mail=1 rcpt=1 data=0/1 quit=1 commands=4/5

File permissions:

-rw------- 1 opendkim opendkim 1704 Aug 29 10:49 vps.private`
-rwx--x--- 1 opendkim opendkim 449 Aug 29 10:49 vps.txt

I did try to change to only u+rw to vps.txt (but no change).
I tried to generate new keys and same issue.

What could cause this?

[davordragic]

I have added

OPENDKIM_RequireSafeKeys=no

and it works again. But this does not feel good

docker-compose.yml

yaml
postfix:
image: mwader/postfix-relay:latest
restart: unless-stopped
volumes:
- dkimdata:/etc/opendkim/keys/
environment:
- POSTFIX_myhostname=${HOSTNAME}
- OPENDKIM_DOMAINS=xxx.xx=vps
- OPENDKIM_Selector=vps

[wader]

Hey, that is strange. The permissions look more restricted than the ones set by default after generating new keys https://github.com/wader/postfix-relay/blob/master/run#L29-L31

Any idea if postfix has done any change to what is concerned secure etc? i would probably read postfix doc or code to see what the requirement is.

Looking at #14 which was a similar issue i get a feeling there might be some volume permission magic/weirdness going on between different docker versions or configurations.

[davordragic]

Docker version 23.0.3, build 3e7cbfd
Host: Debian 11 (bullseye)

And I'm using docker volume and not host mounting. So it should not have any issue with that. :/

[wader]

Ok thanks, yes then it feels even weirder. I would probably exec into a container play around with the permissions and strace a bit and see if you would get any wiser. Is is actually read/stating the files your expecting etc