Bug summary When aapanel's Mail Server module sets up DKIM signing for a domain, the generated private key under /www/server/dkim/<domain>/default.private if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } is created with: -rw-r----- 1 root root ... default.private if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Rspamd (the milter that aapanel uses for DKIM signing on port 11332) runs as user _rspamd , which is not the owner and not in group root . As a result, Rspamd cannot open the key, and every outbound mail fails to be signed. In /var/log/rspamd/rspamd.log : dkim_module_load_key_format: cannot load dkim key /www/server/dkim/<domain>/default.private: cannot map key file: '...default.private' Permission denied if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Mails go out without a DKIM-Signature: header. DNS-side everything looks fine (SPF / DMARC / DKIM TXT records all present), so the aapanel UI shows green checkmarks and the "Check" button reports no problem — but Google Postmaster Tools (and any DKIM verifier) reports dkim=none for the domain. Reproduction Mail Server → add domain → add DKIM record (UI shows OK). Verify DNS records resolve. Send a test mail (e.g. via php mail() or sendmail -pipe) from the local server to a Gmail account. Open the message in Gmail → "Show original" → Authentication-Results: dkim=none (no DKIM-Signature: header in the message). grep "cannot load dkim key" /var/log/rspamd/rspamd.log shows the permission-denied error for the affected domain's key. Workaround / fix chgrp _rspamd /www/server/dkim/*/default.private chmod 640 /www/server/dkim/*/default.private systemctl reload rspamd if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } After this, Rspamd signs and Gmail reports dkim=pass header.i=@<domain> . Two requests for the aapanel team Set correct permissions at key generation time. When the Mail Server module writes default.private , it should chgrp _rspamd and chmod 640 so the running rspamd user can read it. The current default ( root:root 640 ) only works if rspamd happens to run as root, which it does not on standard packages. The "Fix permissions" / "Check" actions in the Mail Server UI do not detect this. "Fix permissions" did not touch the DKIM key ownership in my case, and "Check" only verifies that the DNS TXT records exist — not that rspamd can actually read the key and that outbound mail will carry a DKIM-Signature: header. A real end-to-end check would either (a) read the key file as user _rspamd and report failure, or (b) send a probe message through the local pickup/milter chain and confirm the resulting signature in the queued mail. This failure is silent: aapanel UI green, DNS green, only Postmaster Tools and the rspamd log reveal it. Easy to miss for weeks. Environment aapanel 8.0.2 Rspamd milter on 127.0.0.1:11332 , configured per-domain in /etc/rspamd/local.d/dkim_signing.conf Postfix non_smtpd_milters = inet:127.0.0.1:11332 DKIM keys at /www/server/dkim/<domain>/default.private created by aapanel UI Affected on my machine: all 8 domains using the same key path pattern. Same root cause for each.

aaPanel_Kern Thanks for the reply! OS / version: Ubuntu 24.04.4 LTS, aaPanel 8.0.2. A few notes on your points: 1. „This directory and files should have permissions of 755" The directory was always 755 root:root - that wasn't the issue. The aaPanel file-browser displays „755 / root" for the entries, but on the actual filesystem the files showed: -rw-r----- root root default.private (mode 640) -rw-r--r-- root root default.pub (mode 644) if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } For the private key, mode 640 (or 600) is correct — setting it to 755 ( -rwxr-xr-x ) would make it world-readable, which would be a security regression. The mode wasn't the issue. 2. „Incomplete initialization" - possible context That's plausible: my setup has been migrated across several aaPanel versions over the years, and DKIM keys carry timestamps as old as Oct 4 2022 (probably aaPanel 6.x back then). Newer keys created via the current 8.0.2 mail module show the same ownership pattern, though, so the behavior seems consistent across versions on my side. All 8 of my mail domains were affected uniformly, with the same Rspamd log entry for each: dkim_module_load_key_format: cannot load dkim key /www/server/dkim/<domain>/default.private: cannot map key file: '...default.private' Permission denied if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } 3. The actual cause I found Rspamd (running as user _rspamd , configured as the milter on 127.0.0.1:11332 ) couldn't read the key file because: Owner / group of the key: root:root _rspamd is not a member of root Mode 640 on root:root means only root and root-group members can read So Rspamd silently produced unsigned outbound mail - DNS/SPF/DKIM-record checks were all green, but actual messages went out without a DKIM-Signature: header. Postmaster Tools complained accordingly. 4. Fix that worked chgrp _rspamd /www/server/dkim/*/default.private chmod 640 /www/server/dkim/*/default.private systemctl reload rspamd if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Immediately after: Gmail auth-results changed from dkim=none to dkim=pass header.i=@<domain> . 5. Suggestion (for completeness - could already be fixed in newer setups) When the mail module generates DKIM keys, it would be safer to set the group right away, e.g.: install -o root -g _rspamd -m 640 default.private /www/server/dkim/<domain>/ if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } or chgrp _rspamd immediately after key generation. Then the user that needs to read the key actually can, without loosening the mode. If this is already the default in fresh 8.0.2 installs and only legacy setups like mine carry over the wrong group from older versions, a one-time „fix permissions" routine in the mail module would help users in the same boat. Thanks again for looking into it! PS: You might still remember - I once gave you SSH access to this host (it's a VPS) to fix an issue back then.

DKIM key permissions not readable by Rspamd

ta_ihpoj1jophi_at

Bug summary

When aapanel's Mail Server module sets up DKIM signing for a domain, the generated private key under

/www/server/dkim/<domain>/default.private

is created with:

-rw-r----- 1 root root  ...  default.private

Rspamd (the milter that aapanel uses for DKIM signing on port 11332) runs as user _rspamd, which is not the owner and not in group root. As a result, Rspamd cannot open the key, and every outbound mail fails to be signed.

In /var/log/rspamd/rspamd.log:

dkim_module_load_key_format: cannot load dkim key
/www/server/dkim/<domain>/default.private:
cannot map key file: '...default.private' Permission denied

Mails go out without a DKIM-Signature: header. DNS-side everything looks fine (SPF / DMARC / DKIM TXT records all present), so the aapanel UI shows green checkmarks and the "Check" button reports no problem — but Google Postmaster Tools (and any DKIM verifier) reports dkim=none for the domain.

Reproduction

Mail Server → add domain → add DKIM record (UI shows OK).
Verify DNS records resolve.
Send a test mail (e.g. via php mail() or sendmail-pipe) from the local server to a Gmail account.
Open the message in Gmail → "Show original" → Authentication-Results: dkim=none (no DKIM-Signature: header in the message).
grep "cannot load dkim key" /var/log/rspamd/rspamd.log shows the permission-denied error for the affected domain's key.

Workaround / fix

chgrp _rspamd /www/server/dkim/*/default.private
chmod 640    /www/server/dkim/*/default.private
systemctl reload rspamd

After this, Rspamd signs and Gmail reports dkim=pass header.i=@<domain>.

Two requests for the aapanel team

Set correct permissions at key generation time. When the Mail Server module writes default.private, it should chgrp _rspamd and chmod 640 so the running rspamd user can read it. The current default (root:root 640) only works if rspamd happens to run as root, which it does not on standard packages.
The "Fix permissions" / "Check" actions in the Mail Server UI do not detect this. "Fix permissions" did not touch the DKIM key ownership in my case, and "Check" only verifies that the DNS TXT records exist — not that rspamd can actually read the key and that outbound mail will carry a DKIM-Signature: header. A real end-to-end check would either (a) read the key file as user _rspamd and report failure, or (b) send a probe message through the local pickup/milter chain and confirm the resulting signature in the queued mail.

This failure is silent: aapanel UI green, DNS green, only Postmaster Tools and the rspamd log reveal it. Easy to miss for weeks.

Environment

aapanel 8.0.2
Rspamd milter on 127.0.0.1:11332, configured per-domain in /etc/rspamd/local.d/dkim_signing.conf
Postfix non_smtpd_milters = inet:127.0.0.1:11332
DKIM keys at /www/server/dkim/<domain>/default.private created by aapanel UI

Affected on my machine: all 8 domains using the same key path pattern. Same root cause for each.

aaPanel_Kern

Hello,

What operating system are you using?
This should be caused by incomplete initialization.
This directory and files should have permissions of 755

ta_ihpoj1jophi_at

aaPanel_Kern

Thanks for the reply!

OS / version: Ubuntu 24.04.4 LTS, aaPanel 8.0.2.

A few notes on your points:

1. „This directory and files should have permissions of 755"

The directory was always 755 root:root - that wasn't the issue. The aaPanel file-browser displays „755 / root" for the entries, but on the actual filesystem the files showed:

-rw-r-----  root root  default.private   (mode 640)
-rw-r--r--  root root  default.pub       (mode 644)

For the private key, mode 640 (or 600) is correct — setting it to 755 (-rwxr-xr-x) would make it world-readable, which would be a security regression. The mode wasn't the issue.

2. „Incomplete initialization" - possible context

That's plausible: my setup has been migrated across several aaPanel versions over the years, and DKIM keys carry timestamps as old as Oct 4 2022 (probably aaPanel 6.x back then). Newer keys created via the current 8.0.2 mail module show the same ownership pattern, though, so the behavior seems consistent across versions on my side.

All 8 of my mail domains were affected uniformly, with the same Rspamd log entry for each:

dkim_module_load_key_format: cannot load dkim key
  /www/server/dkim/<domain>/default.private:
  cannot map key file: '...default.private' Permission denied

3. The actual cause I found

Rspamd (running as user _rspamd, configured as the milter on 127.0.0.1:11332) couldn't read the key file because:

Owner / group of the key: root:root
_rspamd is not a member of root
Mode 640 on root:root means only root and root-group members can read

So Rspamd silently produced unsigned outbound mail - DNS/SPF/DKIM-record checks were all green, but actual messages went out without a DKIM-Signature: header. Postmaster Tools complained accordingly.

4. Fix that worked

chgrp _rspamd /www/server/dkim/*/default.private
chmod 640    /www/server/dkim/*/default.private
systemctl reload rspamd

Immediately after: Gmail auth-results changed from dkim=none to dkim=pass header.i=@<domain>.

5. Suggestion (for completeness - could already be fixed in newer setups)

When the mail module generates DKIM keys, it would be safer to set the group right away, e.g.:

install -o root -g _rspamd -m 640 default.private /www/server/dkim/<domain>/

or chgrp _rspamd immediately after key generation. Then the user that needs to read the key actually can, without loosening the mode.

If this is already the default in fresh 8.0.2 installs and only legacy setups like mine carry over the wrong group from older versions, a one-time „fix permissions" routine in the mail module would help users in the same boat.

Thanks again for looking into it!

PS: You might still remember - I once gave you SSH access to this host (it's a VPS) to fix an issue back then.