RE: key data is not secure

From: Steve Jenkins <>
Date: Mon, 10 Jan 2011 20:46:36 -0800

Hi, Chris!

One thing I notice right away is that there are at least a couple of steps other than file locations that don't match the steps in my tutorial.

1) The owner and group of the keyfiles should be opendkim-milt.opendkim-milt, and you have "opendkim.opendkim" Make sure the user and group names are consistent across the entire install.

2) I also notice from your ls that your default keyfile is world and group readable. The tutorial states that it should have only user rw permissions (chmod 600).

I can't guarantee those will fix it, but try those two modifications and let us know if you get different results.

Best regards,


-----Original Message-----
From: [] On Behalf Of Chris
Sent: Monday, January 10, 2011 7:24 PM
Subject: key data is not secure

Hi, I'm trying to set up OpenDKIM on my mail server with Postfix and
I'm getting a "key data is not secure" error in my maillog. I followed
Steve Jenkins' guide:
The server setup he's using is identical to what I'm running (CentOS
5.5 + Postfix). I used OpenDKIM 2.2.2, compiled from source. I changed
the locations of certain files from the ones used in his guide, but
other than that, I followed it closely.

Here's what I'm seeing in my maillog when I attempt to send mail that
should get signed:

Jan 10 19:27:47 etriplinux opendkim[27024]: key data is not secure
Jan 10 19:27:47 etriplinux opendkim[27024]: (unknown-jobid): error
loading key `'
Jan 10 19:27:47 etriplinux postfix/cleanup[28371]: 6373C251D14:
milter-reject: END-OF-MESSAGE from[]: 4.7.1 Service unavailable -
try again later; from=<> to=<>
proto=ESMTP helo=<[]>

The last two lines are likely a result of the first, so that's where
I'm focusing my attention. I checked the permissions on that private
key file in /etc/dkim/keys/, and here's the output from
ls -l:
-rw-r--r-- 1 opendkim opendkim 887 Jan 10 14:30 default

looks fine to me, but I don't know what I'd be looking for, other than
making sure the opendkim user owns it.

Here's the contents of my /etc/dkim/keyTable file:

And here's the contents of my signTable file:

Anyone have any ideas why its not working?

Received on Tue Jan 11 2011 - 04:47:01 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:15 PST