unable to open private key file for reading for hostname in paniclog

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,560
Location
Maastricht
My log files have several of these lines.

Code:
unable to open private key file for reading: /etc/virtual/server18.mycompany.com/

If I'm not mistaken, these are created when you start using DKIM. However, they should not be created for the hostname of the server, because otherwise you will get these error notices.

Please correct me if I'm wrong. But I'm not seeing this on a server where I don't have any DKIM enabled.

But if I'm correct, shouldn't this be fixed in the helpfile? And maybe also in the script?

Or is this needed and should it be fixed some other way?
 
Just investigated some further and there is no DNS entry for the hostname.
However this directory server18.mycompany.com is present in /etc/virtual which is needed. If it's not there Exim won't function properly sending out some files.

But why is Exim looking for a private key file there?
 
Hello Richard,

Checked the two servers of mine and I have folders /etc/virtual/`hostname` in conjunction with DKIM. If you have the file /etc/exim.dkim.conf with the following lines:

Code:
#1.0
  dkim_domain = $sender_address_domain
  dkim_selector = x
  dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key}{/etc/virtual/$sender_address_domain/dkim.private.key}{0}}
  dkim_canon = relaxed
  dkim_strict = 0


included into your main Exim configuration then the existance of a private key will be checked for every outgoing email.

Please note I've temporary renamed /etc/virtual/`hostname` to /etc/virtual/`hostname`~off and sent an email as root, no error of the kind was logged either in /var/log/exim/mainlog or in /var/log/exim/paniclog

So I'm not even sure that the error which you posted in your first message here is related to DKIM. To be sure you could create DKIm keys for your hostname and see whether or not it disappears.
 
Hello Alex.
I've got a newer version, it's 1.2, the content of dkim_domain looks different, it contains de primary hostname too, and I don't know why this was added in later versions.
Code:
#1.2
  dkim_domain = ${if eq{$sender_address_domain}{}{$primary_hostname}{$sender_address_domain}}
  dkim_selector = x
  dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key} \
                        {/etc/virtual/$sender_address_domain/dkim.private.key} \
                        {${if eq{$sender_address_domain}{} \
                                {/etc/virtual/$primary_hostname/dkim.private.key} \
                                {0} \
                        }} \
                     }
  dkim_canon = relaxed
  dkim_strict = 0

I did now create dkim keys for the server hostname, but have to wait to see if this fixes things.
I just wonder now why the first line is changed in version 1.2 and the $primary_hostname is put in there.
 
The line can be read as the following:

If sender's domain is empty, then a key for hostname should be used, this is expected and good. So I don't see any issue in it.
 
The issue is that the key wasn't generated when installing DKIM the way the help section teaches it.
All domains got a DKIM key, except for the hostname. ;)
So this is going to generate this error messages everywhere if not manually added then.

I'm not exactly sure what you mean by "if a sender's domain is empty". Probably it's caused by system messages or something?
 
Riachard,

I'm about this line:

Code:
  dkim_domain = ${if eq{$sender_address_domain}{}{$primary_hostname}{$sender_address_domain}}

The line can be read as the following:

If sender's domain is empty, then a key for hostname should be used, this is expected and good. So I don't see any issue in it.

And I was reacting to your phrase

I just wonder now why the first line is changed in version 1.2 and the $primary_hostname is put in there.

... and still could not replicate the issue on my end.
 
Maybe it's caused by sending mail from a domain which has an external mailserver, but system messages are still send locally.
I found this on the time that the notice occured.

Code:
2017-07-10 23:34:35 1dUgKA-0005Z0-MX ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=prefilter-1
.unit4online.com [82.199.69.59]: SMTP error from remote mail server after end of data: 554 rejected due to spam URL in content
2017-07-10 23:34:35 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1dUgKA-0005Z0-MX
2017-07-10 23:34:35 1dUgKB-0005Z6-Am <= <> R=1dUgKA-0005Z0-MX U=mail P=local S=2701 T="Mail delivery failed: returning message to se
nder" from <> for [email protected]
2017-07-10 23:34:35 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1dUgKB-0005Z6-Am
2017-07-10 23:34:35 1dUgKA-0005Z0-MX Completed
2017-07-10 23:34:35 1dUgKB-0005Z6-Am unable to open private key file for reading: /etc/virtual/server18.mycompany.nl/dkim.private.k
ey
2017-07-10 23:34:36 1dUgKB-0005Z6-Am => [email protected] F=<> R=lookuphost T=remote_smtp S=2777 H=prefilter-1.externalmailserver.
com [82.199.69.59] C="250 Ok: queued as D9A0AE40A2"
2017-07-10 23:34:36 1dUgKB-0005Z6-Am Completed

On the other server I discovered this one, which makes no sense at all to me. Must be some online contact form I guess:
Code:
2017-07-10 19:01:25 1dUc3l-0005Pa-8a [157.7.170.195] SSL verify error: depth=0 error=self signed certificate cert=/C=US/ST=Virginia/
L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]
2017-07-10 19:01:25 1dUc3l-0005Pa-8a [157.7.170.195] SSL verify error: depth=0 error=certificate has expired cert=/C=US/ST=Virginia/
L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]
2017-07-10 19:01:25 1dUc3l-0005Pa-8a [157.7.170.195] SSL verify error: certificate name mismatch: DN="/C=US/ST=Virginia/L=Herndon/O=
Parallels/OU=Parallels Panel/CN=Parallels Panel/[email protected]" H="onionnews.jp"
2017-07-10 19:01:26 1dUc3l-0005Pa-8a unable to open private key file for reading: /etc/virtual/hostname.otherserver.nl/dkim.private.ke
y
2017-07-10 19:01:27 1dUc3l-0005Pa-8a => [email protected] F=<> R=lookuphost T=remote_smtp S=792 H=onionnews.jp [157.7.170.195] X=TLS
v1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 2.0.0 Ok: queued as B3F3299854"
2017-07-10 19:01:27 1dUc3l-0005Pa-8a Completed

And this one caused by an autoreply.
Code:
2017-07-10 14:01:22 1dUXNR-0000tU-MS <= <> R=1dUXNO-0000t3-Hy U=mail P=local S=740 T="Autoreply: \"vervoerder nodig\"" from <> for [email protected]
2017-07-10 14:01:22 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1dUXNR-0000tU-MS
2017-07-10 14:01:22 1dUXNO-0000t3-Hy => info <[email protected]> F=<[email protected]> R=userautoreply T=userautoreply
 S=4536
2017-07-10 14:01:22 1dUXNR-0000tU-MS unable to open private key file for reading: /etc/virtual/hostname.otherserver.nl/dkim.private.ke
y
2017-07-10 14:01:22 1dUXNR-0000tU-MS => [email protected] F=<> R=lookuphost T=remote_smtp S=767 H=serwer1648952.home.pl [7
9.96.223.116] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.0.0 Message accepted."
2017-07-10 14:01:22 1dUXNR-0000tU-MS Completed

Maybe now you're able to reproduce it.
It happens on any server where I enable dkim (and don't manually create a dkim for the hostname).
 
Hello Fred.

Yes it seems the solution posted in #6 indeed fixed things for me:
The issue is that the key wasn't generated when installing DKIM the way the help section teaches it.
All domains got a DKIM key, except for the hostname.
So this is going to generate this error messages everywhere if not manually added then.
So I manually created the dkim key for the hostname and after that I did not have any issues anymore.
 
Hi Richard, thanks.
I did the same, but got the error anyway. But taking a closer look it was not a new alert. Logical, as the paniclog was not empty, it keeps sending an alert. So I removed the warning from paniclog and now I think the problem is solved.

Thank you for taking time to this issue.
Kind regards, Fred
 
Ah yes, I also sometimes overlook old date notices. ;)
No problem, nice your problem is solved now, glad to be of help!

Have a happy 2018!
 
Back
Top