I am still not using sympl-filesystem-security because it changes the ownership of config/dkim.key to sympl:sympl and then exim4 cannot read it. I’ve lost track of what the permissions are supposed to be, so it could be a problem somewhere else - other than the security script I mean.
I’ve been setting the ownership of this file to Debian-exim4:sympl - which appears to work.
Your last change sorted the problems with the stats-htaccess file and I was just seeing if I can revert to what is supposed to be the standard installation.
Exim should still be able to read it like that, as it’s added to the sympl group (and works fine for all the live and test setups I have), but give it a go and let me know if you’re still having issues.
Is it the case that on your reference systems it’s the ‘other way’ round?
This is maybe where the problem lies.
But although the sympl group on my system does contain Debian-exim, the reverse is not true I have
Debian-exim:x:114:clamav
So exim cannot get into the sympl group - because it’s not been told to do so. The transport says get the gid from the ownership of /srv/DOMAIN/config - but Exim needs to set up groups at the start of play.
I think
I’ve had a good look into this, and the docs about setting up DKIM weren’t that clear.
By default, when you create the key, it’s set with 600 permissions, which Exim wouldn’t be abler to read (as it’ll be owed by whatever user created it, and that won’t be Debian-exim, however the docs now clearly mention that it should be set with 660 permissions, and sympl-filesystem-security will reset it to 660 and sympl:sympl, which exim can then read, as it’s using the guid of the sympl group, and id Debian-exim should return a line like uid=107(Debian-exim) gid=114(Debian-exim) groups=114(Debian-exim),113(ssl-cert),1000(sympl) (gid for sympl may vary, obvs).
I’ve done a fair bit of testing and trying to break it, and seems like it’s working okay.
Thanks for checking - I finally had some time today to test it throughly and discovered that the error message I saw some days back has now gone. Thanks for your energy anyway - sometimes these permission things are hard to establish.
Tmv for the link Fogma. I’ve successfully used the dkim email test to resolve the correct dkim format with 123 - Reg and I finally have a green light across all tests (dkim, spf, dmarc) - a trial and error process but simple now I have the right format. Sympl really is a great piece of work - thanks to Paul!