Creation of DKIM private key fails


Now 5 days into working with my first cloud server, running Symbiosis/Stretch to finally replace my ‘legacy’ VM.

The Symbiosis docs give the command to create a DKIM private key as:
openssl genrsa -out /srv/ 2048 -outform PEM

This doesn’t work - probably due to changes in openssl. The genrsa option is apparently deprecated, and, whilst it’s still present, appears not to allow the ‘-outform PEM’ option.

A hopefuly equivalent command which does work is:
openssl genpkey -out /srv/ -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM

And then, as in thread DKIM permission denied, exim (running as Debian-exim:Debian-exim) can’t read the key. I fixed this by changing the file permissions, and group, to:
admin:Debian-exim rw-r-----
but not claiming that’s necessarily the best way.


Just faced the same issue and after communicating with Bytemark Support they provided the following response which I have tested and found that it works as expected;

It looks like openssl now does complain about the -outform PEM flag, but running the command without this flag will generate the key as expected (I’ve also updated the docs accordingly for that).

Setting the file’s permissions to 640 and it’s owner:group to admin:Debian-exim as mentioned on the forum are spot on (otherwise Exim will essentially ignore it). Following that and another pass of symbiosis-dns-generate -v, outgoing emails should then use DKIM correctly.