DKIM uses wrong config for group and owner.

Discussion in 'Installation/Configuration' started by BenM, Jul 25, 2020.

Page 1 of 2
  1. BenM

    BenM Member

    After migrating from jessie to buster, the system presents strange problems.

    When creating DKIM the system writes a file private and public to var / lib / amavis / dkim/ These files have group and ownership to root while that should be amavis. I draw that conclusion because the other files are amavis amavis.

    After setting the root root to amavis amavis the dkim is working. After changing the dkim it is back on root root

    How does this get resolved? the permissions are right amavis: x: 122: clamav, _rspamd

    Regards, Ben
     
    BenM, Jul 25, 2020
    #1
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Migrating how?
     
    Taleman, Jul 25, 2020
    #2
  3. BenM

    BenM Member

    By the ISPConfig Migration Tool
     
    Last edited: Jul 26, 2020
    BenM, Jul 26, 2020
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    This is not related to the Migration. Which exact ISPConfig version do you use?
     
    till, Jul 26, 2020
    #4
  5. BenM

    BenM Member

    ISPConfig 3.1.15p3
     
    BenM, Jul 26, 2020
    #5
  6. BenM

    BenM Member

    Till, no solution for this problem?
     
    BenM, Jul 27, 2020
    #6
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    There are no known issues in that version. The permissions change back to root on its own?
     
    till, Jul 27, 2020
    #7
  8. BenM

    BenM Member

    its also the case with making new DKIM records.

    Idea to install something new ISPconfig?
     
    BenM, Jul 27, 2020
    #8
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    How did you install the system?
     
    till, Jul 27, 2020
    #9
  10. BenM

    BenM Member

    BenM, Jul 27, 2020
    #10
  11. BenM

    BenM Member

    fyi
    Marius Burkard (ISPConfig.org)
    we investigated this and found out that it is a bug in (probably older) versions of ISPConfig that store the cron limits in a way that cannot be imported into newer ISPConfig databases due to strict mode enabled.

    We have now implemented a workaround into the migration tool that converts the invalid value into a valid one before sending it to ISPConfig.
     
    Last edited by a moderator: Jul 27, 2020
    BenM, Jul 27, 2020
    #11
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    till, Jul 27, 2020
    #12
  13. BenM

    BenM Member

    i use rspamd. will check the debug mode.
     
    BenM, Jul 27, 2020
    #13
  14. BenM

    BenM Member

    Output debug

    27.07.2020-16:40 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    27.07.2020-16:40 - DEBUG - Found 4 changes, starting update process.
    27.07.2020-16:40 - DEBUG - Calling function 'rr_delete' from plugin 'bind_plugin' raised by event 'dns_rr_delete'.
    27.07.2020-16:40 - DEBUG - safe_exec cmd: named-checkzone 'anonieme-domeinregistratie.nl.' '/etc/bind/pri.anonieme-domeinregistratie.nl' - return code: 0
    27.07.2020-16:40 - DEBUG - Writing BIND domain file: /etc/bind/pri.anonieme-domeinregistratie.nl
    27.07.2020-16:40 - DEBUG - safe_exec cmd: cd '/etc/bind'; named-checkzone 'anonieme-domeinregistratie.nl' '/etc/bind/pri.anonieme-domeinregistratie.nl' | egrep -ho '[0-9]{10}' - return code: 0
    Verifying the zone using the following algorithms: NSEC3RSASHA1.
    Zone fully signed:
    Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
    ZSKs: 1 active, 0 stand-by, 0 revoked
    27.07.2020-16:40 - DEBUG - safe_exec cmd: cd '/etc/bind'; dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o 'anonieme-domeinregistratie.nl' -t 'pri.anonieme-domeinregistratie.nl' - return code: 0
    27.07.2020-16:40 - DEBUG - Writing BIND named.conf.local file: /etc/bind/named.conf.local
    27.07.2020-16:40 - DEBUG - Processed datalog_id 29564
    27.07.2020-16:40 - DEBUG - Calling function 'rr_insert' from plugin 'bind_plugin' raised by event 'dns_rr_insert'.
    27.07.2020-16:40 - DEBUG - safe_exec cmd: named-checkzone 'anonieme-domeinregistratie.nl.' '/etc/bind/pri.anonieme-domeinregistratie.nl' - return code: 0
    27.07.2020-16:40 - DEBUG - Writing BIND domain file: /etc/bind/pri.anonieme-domeinregistratie.nl
    27.07.2020-16:40 - DEBUG - safe_exec cmd: cd '/etc/bind'; named-checkzone 'anonieme-domeinregistratie.nl' '/etc/bind/pri.anonieme-domeinregistratie.nl' | egrep -ho '[0-9]{10}' - return code: 0
    Verifying the zone using the following algorithms: NSEC3RSASHA1.
    Zone fully signed:
    Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
    ZSKs: 1 active, 0 stand-by, 0 revoked
    27.07.2020-16:40 - DEBUG - safe_exec cmd: cd '/etc/bind'; dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o 'anonieme-domeinregistratie.nl' -t 'pri.anonieme-domeinregistratie.nl' - return code: 0
    27.07.2020-16:40 - DEBUG - Writing BIND named.conf.local file: /etc/bind/named.conf.local
    27.07.2020-16:40 - DEBUG - Processed datalog_id 29565
    27.07.2020-16:40 - DEBUG - Calling function 'soa_update' from plugin 'bind_plugin' raised by event 'dns_soa_update'.
    27.07.2020-16:40 - DEBUG - safe_exec cmd: named-checkzone 'anonieme-domeinregistratie.nl.' '/etc/bind/pri.anonieme-domeinregistratie.nl' - return code: 0
    27.07.2020-16:40 - DEBUG - Writing BIND domain file: /etc/bind/pri.anonieme-domeinregistratie.nl
    27.07.2020-16:40 - DEBUG - safe_exec cmd: cd '/etc/bind'; named-checkzone 'anonieme-domeinregistratie.nl' '/etc/bind/pri.anonieme-domeinregistratie.nl' | egrep -ho '[0-9]{10}' - return code: 0
    Verifying the zone using the following algorithms: NSEC3RSASHA1.
    Zone fully signed:
    Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
    ZSKs: 1 active, 0 stand-by, 0 revoked
    27.07.2020-16:40 - DEBUG - safe_exec cmd: cd '/etc/bind'; dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o 'anonieme-domeinregistratie.nl' -t 'pri.anonieme-domeinregistratie.nl' - return code: 0
    27.07.2020-16:40 - DEBUG - Writing BIND named.conf.local file: /etc/bind/named.conf.local
    27.07.2020-16:40 - DEBUG - Processed datalog_id 29566
    27.07.2020-16:40 - DEBUG - Calling function 'domain_dkim_update' from plugin 'mail_plugin_dkim' raised by event 'mail_domain_update'.
    27.07.2020-16:40 - DEBUG - Saved DKIM Private-key to /var/lib/amavis/dkim/anonieme-domeinregistratie.nl.private
    27.07.2020-16:40 - DEBUG - safe_exec cmd: cat '/var/lib/amavis/dkim/anonieme-domeinregistratie.nl.private'|openssl rsa -pubout 2> /dev/null - return code: 0
    27.07.2020-16:40 - DEBUG - Saved DKIM Public to anonieme-domeinregistratie.nl.
    27.07.2020-16:40 - DEBUG - Processed datalog_id 29567
    27.07.2020-16:40 - DEBUG - Calling function 'restartBind' from module 'dns_module'.
    27.07.2020-16:40 - DEBUG - Calling function 'restartRspamd' from module 'mail_module'.
    27.07.2020-16:40 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
     
    BenM, Jul 27, 2020
    #14
  15. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What owner and permissions ended up in /var/lib/amavis/dkim/*`?
    On my production machine there is one .private and .public pair that is owned root:root. Others are amavis:amavis. The root:root pair is the latest, from July 1st. Strange.
    I have not noticed anything wrong, at least not yet.
     
    Taleman, Jul 27, 2020
    #15
  16. florian030

    florian030 Well-Known Member HowtoForge Supporter

    as long as the key-files have 644 (or maybe 444) and amavis can acces /var/lib/amavis/dkim/, amavis can read the key. usually, /var/lib/amavis/dkim/ is owned by amavis.amavis with 750
     
    florian030, Jul 27, 2020
    #16
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you have 3.1.15p3 or 3.1dev installed on that server?
     
    till, Jul 27, 2020
    #17
  18. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It is
    (Debian Stretch) ISPConfig 3.1.15p3
     
    Taleman, Jul 27, 2020
    #18
  19. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I noticed the permissions are all
    Code:
    -rw-r--r--
    Should the .private key have no read for others?
     
    Taleman, Jul 27, 2020
    #19
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Depends on the permissions of the directory the key is in. If the directory permissions are like this, then it's ok:

    [root@server1 ]# ls -la /var/lib/amavis/dkim/
    total 0
    drwxr-x---. 2 amavis amavis 6 Jul 17 17:10 .
    drwxr-x---. 3 amavis amavis 18 Jul 17 17:10 ..
     
    till, Jul 27, 2020
    #20
Page 1 of 2

Share This Page