From e764e658ce6d32751a2a6bff83ab8fd55cd5b3c9 Mon Sep 17 00:00:00 2001
From: Quentin Duchemin <quentinduchemin@tuta.io>
Date: Wed, 19 Aug 2020 15:32:39 +0200
Subject: [PATCH] [Mail] Set RequireSafeKeys to false for OpenDKIM

This is because OpenDKIM requires the private key to be writable only by the user opendkim and root.

But the postfix user is a member of the opendkim group, which triggers OpenDKIM (even if the key permissions are set to 0600).

We cannot remove postfix from opendkim group because it needs to access the Milter service running in /opendkim/opendkim.sock.

It would also be possible to chown opendkim:postfix /opendkim/opendkim.sock, but I don't know if it would solve the problem.

The fact is : the container runs as root, if it get compromised the private key will not be safe anyway.
---
 pica-mail/pica-mail-mta/spam/opendkim.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pica-mail/pica-mail-mta/spam/opendkim.conf b/pica-mail/pica-mail-mta/spam/opendkim.conf
index 2d3cfa78..1907e42b 100644
--- a/pica-mail/pica-mail-mta/spam/opendkim.conf
+++ b/pica-mail/pica-mail-mta/spam/opendkim.conf
@@ -96,3 +96,4 @@ Background yes
 DNSTimeout 5
 SignatureAlgorithm rsa-sha256
 OversignHeaders From
+RequireSafeKeys false
-- 
GitLab