'can't load key in OpenDKIM Permission denied

Previously working Dovecot / Postfix / DKIM setup with multiple domains working correctly for months.

I attempted to add a new domain name. Retracing what I did for the original ones. Once I got past most issues, with all config files, keys, text records etc working, I could receive email with no problems, but not send email on the new email/domain.

Received the following error:

Mar 23 02:48:49 MainFrame-2017 opendkim[4225]: can't load key from /etc/opendkim/keys/zaehlas.com/mail.private: Permission denied
Mar 23 02:48:49 MainFrame-2017 opendkim[4225]: DF0CF5C4CC0: error loading key 'mail._domainkey.zaehlas.com'

Installed with following versions:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.6 LTS
Release:        16.04
Codename:       xenial
root@MainFrame-2017:/etc/opendkim/keys/zaehlas.com# dpkg -s opendkim | grep '^Version:'
Version: 2.10.3-3build1
root@MainFrame-2017:/etc/opendkim/keys/zaehlas.com# dpkg -s postfix | grep '^Version:'
Version: 3.1.0-3ubuntu0.3

I checked permissions and config files. Working perfectly for 4 domains, not working with the last one. Finally reset all permissions as recommended on the (MANY) guides I can find, rebooted entire server, multiple service restarts, and now none of my domains will send email using DKIM

My opendkim.conf (with comments and white space removed)

OversignHeaders     From
TrustAnchorFile       /usr/share/dns/root.key
AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256
UserID                  opendkim:opendkim
Socket                  inet:12301@localhost

Permissions in opendkim and keyfiles

root@MainFrame-2017:/etc/opendkim# ls -l
total 16
drw------- 9 opendkim opendkim 4096 Mar 23 00:31 keys
-rw-r--r-- 1 opendkim opendkim  772 Mar 23 02:10 KeyTable
-rw-r--r-- 1 opendkim opendkim  394 Mar 23 00:28 SigningTable
-rw-r--r-- 1 opendkim opendkim  286 Mar 23 02:42 TrustedHosts
root@MainFrame-2017:/etc/opendkim# namei -l /etc/opendkim/keys/zaehlas.com/mail.private
f: /etc/opendkim/keys/zaehlas.com/mail.private
drwxr-xr-x root     root     /
drwxr-xr-x root     root     etc
drwxr-xr-x opendkim opendkim opendkim
drw------- opendkim opendkim keys
drw------- opendkim opendkim zaehlas.com
-rw------- opendkim opendkim mail.private

KeyTable File:

mail._domainkey.zaehlas.com zaehlas.com:mail:/etc/opendkim/keys/zaehlas.com/mail.private
mail._domainkey.bglancesglass.com bglancesglass.com:mail:/etc/opendkim/keys/bglancesglass.com/mail.private
mail._domainkey.millenniumlarp.com millenniumlarp.com:mail:/etc/opendkim/keys/millenniumlarp.com/mail.private
mail._domainkey.pittsburghglassclub.com pittsburghglassclub.com:mail:/etc/opendkim/keys/pittsburghglassclub.com/mail.private
mail._domainkey.pittsburghglassclub.org pittsburghglassclub.org:mail:/etc/opendkim/keys/pittsburghglassclub.org/mail.private
mail._domainkey.chataboutdg.com chataboutdg.com:mail:/etc/opendkim/keys/chataboutdg.com/mail.private
mail._domainkey.lostvalleylegacy.com lostvalleylegacy.com:mail/etc/opendkim/keys/lostvalleylegacy.com/mail.private

And DKIM Test works:

root@MainFrame-2017:/etc/opendkim# opendkim-testkey -d zaehlas.com -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.zaehlas.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

I've run completely dry of ideas. It worked, and now it doesn't, and nothing critical has changed. I've tried several different permissions, verified opendkim is using correct group and username.

Thank you ahead of time for something Ive missed, or mentioning something to check that none of the other guides mention.

Solution 1:^[1]

I had the same problem and fixed it by making the keys and config files (KeyTable, SigningTable etc) executable.

sudo chmod -R ug+x /etc/opendkim

Solution 2:^[2]

I backed up my configuration files. apt-get purged opendkim, reinstalled opendkim, restored my exact configuration files, and it worked.

I have no idea why.

PFM

Solution 3:^[3]

Bit late, but problem could be in, who is owner of file with key,it should be opendkim. Check owner of files with command:

ls -la /etc/opendkim/keys/{domain-name}/

output should be something like this:

-rw------- 1 opendkim opendkim 1679 30. b?e 21.17 default.private

you can change owner with command:

chown opendkim.opendkim /etc/opendkim/keys/{domain-name}/default.private

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	tgodan
Solution 2	Zaehlas
Solution 3

'can't load key in OpenDKIM Permission denied

Solution 1:[1]

Solution 2:[2]

Solution 3:[3]

Sources

Related Questions

Solution 1:^[1]

Solution 2:^[2]

Solution 3:^[3]