OpenDKIM errors

Question

When sending mail, Outlook errors 4.7.1 Service unavailable - try again later. I have installed postfix, dovecot and openDKIM, but OpenDKIM is giving me errors:

Mar 30 10:19:32 x opendkim[16762]: can't load key from /etc/ssl/private/mail.x.nl.key: Permission denied
Mar 30 10:19:32 x opendkim[16762]: A058440C14: error loading key '_domainkey.x.nl'
Mar 30 10:20:27 x opendkim[16762]: can't load key from /etc/ssl/private/mail.x.nl.key: Permission denied
Mar 30 10:20:27 x opendkim[16762]: 6A4FF40C14: error loading key '_domainkey.x.nl'
Mar 30 11:45:42 x opendkim[16762]: can't load key from /etc/ssl/private/mail.x.nl.key: Permission denied
Mar 30 11:45:42 x opendkim[16762]: 0EDB640845: error loading key '_domainkey.x.nl'
Mar 30 11:47:48 x postfix/postfix-script[1373]: error: unknown command: 'restart'
Mar 30 11:47:48 x postfix/postfix-script[1374]: fatal: usage: postfix start (or stop, reload, abort, flush, check, status, set-permissions, upgrade-configuration)
Mar 30 11:51:41 x opendkim[1888]: can't load key from /etc/ssl/private/mail.x.nl.key: Permission denied
Mar 30 11:51:41 x opendkim[1888]: BF89E40845: error loading key '_domainkey.x.key

** Output from namei -l ** 
f: /etc/ssl/private/mail.x.nl.key
drwxr-xr-x root      root     /
drwxr-xr-x root      root     etc
drwxr-xr-x root      root     ssl
drwx--x--- root      ssl-cert private
-rw-r--r-- opendkim  opendkim mail.x.nl.key

I have tried setting the .key files to 0755 with owner opendkim:opendkim. Can I solve this?

Answer 1

Your permissions are too restrictive.
The opendkim user/group does not have access to the /etc/ssl/private folder.
Depending on your setup it should be owned by the opendkim group, and the group should also have read/execute permissions on the folder.

Also the permissions on your key file are too open.
It should have 0600 permission, in no case should it be world readable.

Answer 2

In my case helped this

chown -R opendkim:opendkim /etc/opendkim
chmod 0750 /etc/opendkim/keys
chmod 0600 /etc/opendkim/keys/default.private