It would be better to forbid both KeyTable and KeyFile, or to at least emit a warning that KeyFile is being ignored. Instead what happens is that KeyFile is treated as though it were not present at all.
If Selector then appears, or is provided on the command line, the user will see the error KeyFile and Selector must both be defined or both be undefined.
This is very confusing to untangle (I had to dig into the source code) because the actual condition being checked is that "if KeyTable is present, then neither KeyFile nor Selector may be present" -- and since SigningTable requires KeyTable, we also have the condition "if SigningTable is present then neither KeyFile nor Selector may be present".
Unfortunately in NixOS, KeyFile and Selector are unconditionally provided on the command-line, which seems to preempt using opendkim in signing mode. (This is easy to override, but I am mentioning it here to help future people who may be searching for these error messages. I may also file a PR against nixpkgs to encode this logic in nix assertions.)
It would be better to forbid both
KeyTableandKeyFile, or to at least emit a warning thatKeyFileis being ignored. Instead what happens is thatKeyFileis treated as though it were not present at all.If
Selectorthen appears, or is provided on the command line, the user will see the errorKeyFile and Selector must both be defined or both be undefined.This is very confusing to untangle (I had to dig into the source code) because the actual condition being checked is that "if
KeyTableis present, then neitherKeyFilenorSelectormay be present" -- and sinceSigningTablerequiresKeyTable, we also have the condition "ifSigningTableis present then neitherKeyFilenorSelectormay be present".Unfortunately in NixOS,
KeyFileandSelectorare unconditionally provided on the command-line, which seems to preempt using opendkim in signing mode. (This is easy to override, but I am mentioning it here to help future people who may be searching for these error messages. I may also file a PR against nixpkgs to encode this logic in nix assertions.)