Debian: dkimproxy.out signing error: cannot read /var/lib/dkimproxy/private.key: Permission denied

This is the error I saw when I realised that my messages were not being signed – the DKIM headers were missing entirely.

dkimproxy.out: signing error: Error: cannot read /var/lib/dkimproxy/private.key: Permission denied

The Debian package installer gives this file read access by the ssl-cert group and the dkimproxy user is correctly added to the ssl-cert group. However the process dkimproxy.out runs as user:group dkimproxy:dkimproxy, but the Perl process does not seem to be running with the effective group id that includes the secondary groups (see ‘man 3 initgroups‘).

There are two simple fixes. The first option is to change the group under which dkimproxy.out runs by editing /etc/default/dkimproxy to include the line: –


The second is to simply change the group ownership of the private key file: –

sudo chgrp dkimproxy /var/lib/dkimproxy/private.key

This second option is my favoured solution, because the proxy process gets no broader access to other files belonging to the ssl-cert group.

Re-send a message to test.

dkimproxy.out: DKIM signing - signed; message-id=<ca5e2aebc79d28a67 ...

Success! To check that the DKIM signature actually verifies, SparkPost have a really nice tool that provides an address to send to, and reports back any DKIM header problems with the emails you send there.

Leave a Reply

Your email address will not be published. Required fields are marked *