Nethserver 8 mail DKIM not signed

In nethserver 8, after generating dkim signature, the message isn’t signed with the dkim.
The error is the following from rspmd
cannot load dkim key /var/lib/rspamd/dkim/default.key: cannot map key file: ‘/var/lib/rspamd/dkim/default.key’ Permission denied

The file present in /home/mail1/.local/share/containers/storage/volumes/rspmd-data/_data/dkim/default.key has permission 600
For temporary fix change permission to 640

1 Like

Yes, I can confirm. I had to struggle with this too.

root@mdol-ns8:~# runagent -m mail1
runagent: [INFO] starting bash -l
runagent: [INFO] working directory: /home/mail1/.config/state
mail1@mdol-ns8:~/.config/state$ ls
CACHEDIR.TAG  apitoken.cache  discovery.env  environment  rspamd.env
agent.env     dh.pem          dovecot.env    pcdb
mail1@mdol-ns8:~/.config/state$ podman exec -ti rspamd ash
/ # ls /var/lib/rspamd/dkim/default.
default.key  default.txt
/ # ls -l /var/lib/rspamd/dkim/default.key
-rw-------    1 root     rspamd        1675 Jun 15 13:00 /var/lib/rspamd/dkim/default.key
/ # chmod g+r /var/lib/rspamd/dkim/default.key
/ # ls -l /var/lib/rspamd/dkim/default.key
-rw-r-----    1 root     rspamd        1675 Jun 15 13:00 /var/lib/rspamd/dkim/default.key

You also have to set permissions for rspamd.

The solution comes from @mrmarkuz


There’s an open bug


a fix is going to be verified and released, the bug concerns only new installation from mail:1.4.3, the fix will take care only for new installation, for installation done from 1.4.3 you could fix them by a CLI

runagent -m mail1 podman exec -ti rspamd chmod g+r /var/lib/rspamd/dkim/default.key


Released in Release 1.4.4 · NethServer/ns8-mail · GitHub

At minute 94, @stephdl and @lucag persuaded me to automatically apply the fix to existing installations that were created with version 1.4.3.

Version 1.4.3, released on June 14, has seen many more new installations than I expected.


wise decision @davidep

1 Like