unable to open private key file for reading for hostname in paniclog

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
My log files have several of these lines.

Code:
unable to open private key file for reading: /etc/virtual/server18.mycompany.com/
If I'm not mistaken, these are created when you start using DKIM. However, they should not be created for the hostname of the server, because otherwise you will get these error notices.

Please correct me if I'm wrong. But I'm not seeing this on a server where I don't have any DKIM enabled.

But if I'm correct, shouldn't this be fixed in the helpfile? And maybe also in the script?

Or is this needed and should it be fixed some other way?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Just investigated some further and there is no DNS entry for the hostname.
However this directory server18.mycompany.com is present in /etc/virtual which is needed. If it's not there Exim won't function properly sending out some files.

But why is Exim looking for a private key file there?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Hello Richard,

Checked the two servers of mine and I have folders /etc/virtual/`hostname` in conjunction with DKIM. If you have the file /etc/exim.dkim.conf with the following lines:

Code:
#1.0
  dkim_domain = $sender_address_domain
  dkim_selector = x
  dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key}{/etc/virtual/$sender_address_domain/dkim.private.key}{0}}
  dkim_canon = relaxed
  dkim_strict = 0

included into your main Exim configuration then the existance of a private key will be checked for every outgoing email.

Please note I've temporary renamed /etc/virtual/`hostname` to /etc/virtual/`hostname`~off and sent an email as root, no error of the kind was logged either in /var/log/exim/mainlog or in /var/log/exim/paniclog

So I'm not even sure that the error which you posted in your first message here is related to DKIM. To be sure you could create DKIm keys for your hostname and see whether or not it disappears.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Hello Alex.
I've got a newer version, it's 1.2, the content of dkim_domain looks different, it contains de primary hostname too, and I don't know why this was added in later versions.
Code:
#1.2
  dkim_domain = ${if eq{$sender_address_domain}{}{$primary_hostname}{$sender_address_domain}}
  dkim_selector = x
  dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key} \
                        {/etc/virtual/$sender_address_domain/dkim.private.key} \
                        {${if eq{$sender_address_domain}{} \
                                {/etc/virtual/$primary_hostname/dkim.private.key} \
                                {0} \
                        }} \
                     }
  dkim_canon = relaxed
  dkim_strict = 0
I did now create dkim keys for the server hostname, but have to wait to see if this fixes things.
I just wonder now why the first line is changed in version 1.2 and the $primary_hostname is put in there.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
The line can be read as the following:

If sender's domain is empty, then a key for hostname should be used, this is expected and good. So I don't see any issue in it.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
The issue is that the key wasn't generated when installing DKIM the way the help section teaches it.
All domains got a DKIM key, except for the hostname. ;)
So this is going to generate this error messages everywhere if not manually added then.

I'm not exactly sure what you mean by "if a sender's domain is empty". Probably it's caused by system messages or something?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Riachard,

I'm about this line:

Code:
  dkim_domain = ${if eq{$sender_address_domain}{}{$primary_hostname}{$sender_address_domain}}
The line can be read as the following:

If sender's domain is empty, then a key for hostname should be used, this is expected and good. So I don't see any issue in it.

And I was reacting to your phrase

I just wonder now why the first line is changed in version 1.2 and the $primary_hostname is put in there.
... and still could not replicate the issue on my end.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Maybe it's caused by sending mail from a domain which has an external mailserver, but system messages are still send locally.
I found this on the time that the notice occured.

Code:
2017-07-10 23:34:35 1dUgKA-0005Z0-MX ** info@customerdomain.com F=<accountname@customerdomain.com> R=lookuphost T=remote_smtp H=prefilter-1
.unit4online.com [82.199.69.59]: SMTP error from remote mail server after end of data: 554 rejected due to spam URL in content
2017-07-10 23:34:35 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1dUgKA-0005Z0-MX
2017-07-10 23:34:35 1dUgKB-0005Z6-Am <= <> R=1dUgKA-0005Z0-MX U=mail P=local S=2701 T="Mail delivery failed: returning message to se
nder" from <> for accountname@customerdomain.com
2017-07-10 23:34:35 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1dUgKB-0005Z6-Am
2017-07-10 23:34:35 1dUgKA-0005Z0-MX Completed
2017-07-10 23:34:35 1dUgKB-0005Z6-Am unable to open private key file for reading: /etc/virtual/server18.mycompany.nl/dkim.private.k
ey
2017-07-10 23:34:36 1dUgKB-0005Z6-Am => accountname@customerdomain.com F=<> R=lookuphost T=remote_smtp S=2777 H=prefilter-1.externalmailserver.
com [82.199.69.59] C="250 Ok: queued as D9A0AE40A2"
2017-07-10 23:34:36 1dUgKB-0005Z6-Am Completed
On the other server I discovered this one, which makes no sense at all to me. Must be some online contact form I guess:
Code:
2017-07-10 19:01:25 1dUc3l-0005Pa-8a [157.7.170.195] SSL verify error: depth=0 error=self signed certificate cert=/C=US/ST=Virginia/
L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/emailAddress=info@parallels.com
2017-07-10 19:01:25 1dUc3l-0005Pa-8a [157.7.170.195] SSL verify error: depth=0 error=certificate has expired cert=/C=US/ST=Virginia/
L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/emailAddress=info@parallels.com
2017-07-10 19:01:25 1dUc3l-0005Pa-8a [157.7.170.195] SSL verify error: certificate name mismatch: DN="/C=US/ST=Virginia/L=Herndon/O=
Parallels/OU=Parallels Panel/CN=Parallels Panel/emailAddress=info@parallels.com" H="onionnews.jp"
2017-07-10 19:01:26 1dUc3l-0005Pa-8a unable to open private key file for reading: /etc/virtual/hostname.otherserver.nl/dkim.private.ke
y
2017-07-10 19:01:27 1dUc3l-0005Pa-8a => root@onionnews.jp F=<> R=lookuphost T=remote_smtp S=792 H=onionnews.jp [157.7.170.195] X=TLS
v1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 2.0.0 Ok: queued as B3F3299854"
2017-07-10 19:01:27 1dUc3l-0005Pa-8a Completed
And this one caused by an autoreply.
Code:
2017-07-10 14:01:22 1dUXNR-0000tU-MS <= <> R=1dUXNO-0000t3-Hy U=mail P=local S=740 T="Autoreply: \"vervoerder nodig\"" from <> for m.lastname@sender.nl
2017-07-10 14:01:22 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1dUXNR-0000tU-MS
2017-07-10 14:01:22 1dUXNO-0000t3-Hy => info <info@customer.nl> F=<m.lastname@sender.nl> R=userautoreply T=userautoreply
 S=4536
2017-07-10 14:01:22 1dUXNR-0000tU-MS unable to open private key file for reading: /etc/virtual/hostname.otherserver.nl/dkim.private.ke
y
2017-07-10 14:01:22 1dUXNR-0000tU-MS => m.lastname@sender.nl F=<> R=lookuphost T=remote_smtp S=767 H=serwer1648952.home.pl [7
9.96.223.116] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.0.0 Message accepted."
2017-07-10 14:01:22 1dUXNR-0000tU-MS Completed
Maybe now you're able to reproduce it.
It happens on any server where I enable dkim (and don't manually create a dkim for the hostname).
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Hello Fred.

Yes it seems the solution posted in #6 indeed fixed things for me:
The issue is that the key wasn't generated when installing DKIM the way the help section teaches it.
All domains got a DKIM key, except for the hostname.
So this is going to generate this error messages everywhere if not manually added then.
So I manually created the dkim key for the hostname and after that I did not have any issues anymore.
 

Awd

Verified User
Joined
Aug 9, 2015
Messages
316
Hi Richard, thanks.
I did the same, but got the error anyway. But taking a closer look it was not a new alert. Logical, as the paniclog was not empty, it keeps sending an alert. So I removed the warning from paniclog and now I think the problem is solved.

Thank you for taking time to this issue.
Kind regards, Fred
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Ah yes, I also sometimes overlook old date notices. ;)
No problem, nice your problem is solved now, glad to be of help!

Have a happy 2018!
 
Top