From a139371c207d0c4cbae2fe1e11909e21a5e7f0db Mon Sep 17 00:00:00 2001
From: Quentin Duchemin <quentinduchemin@tuta.io>
Date: Wed, 19 Aug 2020 15:32:39 +0200
Subject: [PATCH] [Mail] Set RequireSafeKeys to false for OpenDKIM

This is because OpenDKIM requires the private key to be writable only by the user opendkim and root.

But the postfix user is a member of the opendkim group, which triggers OpenDKIM (even if the key permissions are set to 0600).

We cannot remove postfix from opendkim group because it needs to access the Milter service running in /opendkim/opendkim.sock.

It would also be possible to chown opendkim:postfix /opendkim/opendkim.sock, but I don't know if it would solve the problem.

The fact is : the container runs as root, if it get compromised the private key will not be safe anyway.
---
 pica-mail/pica-mail-mta/spam/opendkim.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pica-mail/pica-mail-mta/spam/opendkim.conf b/pica-mail/pica-mail-mta/spam/opendkim.conf
index 2d3cfa7..1907e42 100644
--- a/pica-mail/pica-mail-mta/spam/opendkim.conf
+++ b/pica-mail/pica-mail-mta/spam/opendkim.conf
@@ -96,3 +96,4 @@ Background yes
 DNSTimeout 5
 SignatureAlgorithm rsa-sha256
 OversignHeaders From
+RequireSafeKeys false
-- 
GitLab