OpenDKIM

Background
Using a local socket to communicate securely with an MTA requires some subtle configuration. We have four security goals,


 * 1) Allow OpenDKIM to read your DKIM signing keys.
 * 2) Allow your MTA to read and write to a shared socket file.
 * 3) Do not allow the MTA to read your DKIM signing keys.
 * 4) Don't allow anyone other than  to modify the signing keys.

In recent versions of, the opendkim daemon runs as the user and group. Your signing keys should be,


 * 1) Located under
 * 2) Owned by, with group
 * 3) Have mode 640

Taken together, these imply that the group (including the daemon) can read your DKIM signing keys, but not write to them. The problem of the socket is now, essentially: how do you share the socket file between the user and the MTA, without allowing the MTA to read the  group's files? The usual approach here would be to add the MTA to the group, and then allow that group to write to the socket file. However, doing so would allow the MTA to read your DKIM signing keys in this case, and that violates one of our security goals.

Solution
The solution to this problem is to create a new, dedicated group that us used only to control access to the socket. For example, you might


 * 1) Create a new  group.
 * 2) Add the  user to the  group.
 * 3) Add your MTA to the  group.
 * 4) Change the umask in  to allow group-write.

This almost does what we want, except for one critical pitfall: the socket gets created by the user, and as a result, it gets created with that user's primary group,. Since the socket's group isn't, our trick has failed! However, all is not lost: we can change the primary group of the user to , after which the socket will be created with the correct group. With this one crucial modification, everything works as desired.

Example
Here we give a step-by-step example of sharing a local socket with Postfix, running as the user.

First, create the dedicated group that will control access to the socket, and add the  user to it:

Next we will switch the primary group of the user to, and then append the  group back:

Next, edit your to specify the name of a local socket. On Gentoo, the local socket should be located under, because the permissions on that directory are set correctly for you at boot time.

Finally, ensure that the UMask is set correctly in (the ebuild does this for you) so that the socket gets created with group-writable permissions:

With that, we are ready to start OpenDKIM.