Postfix - Opendkim - Unable to connect to local socket
Solution 1
Tested on my CentOS6 that postfix seems not really "chrooted".
My setting:
# /etc/opendkim.conf
Socket local:/var/run/opendkim/opendkim.sock
# /etc/postfix/main.cf
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
This will produce: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied.
However, the socket umask is 002, result in srwxrwxr-x. opendkim:opendkim opendkim.sock.
Changing the umask to 000 solves the problem. Still, it's better to have opendkim switch user:group than just open to the world.
Environment:
centos 6.5 2.6.32-573.7.1.el6.x86_64
postfix 2.6.6-6.el6_5 @updates
opendkim 2.10.3-1.el6 @epel
Solution 2
For those that find this and the issue is not resolve with the above answers, my issue was group execute permissions missing on the opendkim socket folder /var/run/opendkim/
I added a cron @reboot to ensure group permissions were set
@reboot root chmod g+x /var/run/opendkim/
Fixes/patches the following warning from returning after a reboot.
warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied
A tcp connection was not a good solution for me as I sign 100k+ emails per hour.
Solution 3
IIRC, postfix in centos 6 does not run chrooted in its standard config. When I configured opendkim from epel it came with this config:
Socket inet:8891@localhost
so enabling it in postfix was just a matter of adding this to main.cf:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
en restarting both opendkim en postfix after properly configuring the keys, TrustedHosts, SigningTable, Keytable and publishing the txt records to dns.
O, and I forgot: postfix should be member of the opendkim group as well.
Related videos on Youtube
15 : 14
![error: cannot communicate with server: Post "http://localhost/v2/snaps/anbox": dial [Fixed]](https://i.ytimg.com/vi/8tdp1oZXaFM/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLB6h2FaXMiz4G-HIbQGWpsDuPhbVA)
04 : 42
02 : 10
16 : 47
03 : 14
32 : 48
Mike Purcell
We are working on the next big social media project. If you are interested in the project drop me a line @ [email protected].
Updated on September 18, 2022Comments
-
Mike Purcell over 1 year
I am getting denied errors when postfix tries to connect to the unix socket for opendkim, actual error:
Sep 24 15:41:43 service-a-4 postfix/cleanup[17414]: warning: connect to Milter service unix:var/run/opendkim/opendkim.sock: Permission deniedAccording to postfix docs, postfix is run in "chroot mode" by default, so postfix is locked down to /var/spool/postfix/, and according to the postfix docs, if running in "chroot mode", all milter (socket) references are relative (to /var/spool/postfix).
So my configs look like:
# /etc/opendkim.conf Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock # /etc/postfix/main.cf smtpd_milters = unix:/var/run/opendkim/opendkim.sockNow when I try to send a test email I get the permission denied error, so I tried a few permission tests:
# Correctly lists the socket file sudo su -s /bin/bash postfix -c "ls /var/spool/postfix/var/run/opendkim/opendkim.sock"But when I try to connect as postfix, nothing happens:
# Does not work sudo su -s /bin/bash postfix -c "nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock" # Does work (as root) nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sockSELinux is temporarily disabled (permissive) whilst debugging this sitch. And I am restarting both processes (opendkim and postfix) after every config change.
What else am I missing?
Versions:
CentOS 6.5 Postfix v2.6.6 Opendkim v2.9 -
Mike Purcell over 8 yearsThx for the response, but inet:8891 is not a unix socket, it's a tcp port. And I do believe that postfix is chrooted b/c according to the postfix docs, postfix defaults to chroot, and I did not overwrite that value, which is proven by the fact that postfix is run out of /var/spool/postfix,
-
Mike Purcell over 8 yearsOk that makes sense then, but still doesn't explain why I can't connect to the local unix socket.
-
natxo asenjo over 8 yearsis postfix member of the opendkim group?
-
Mike Purcell over 8 yearsSwitch user group?
-
atitan over 8 yearsUse "UserID" setting in opendkim.conf. e.g.
UserID opendkim:postfix -
Mike Purcell over 8 yearsGotcha.. I'll give her a go.
-
Mike Purcell over 8 yearsYa I added postfix to opendkim group per some suggestions via googling but to no avail. Going to try @atitan's suggestion.
-
natxo asenjo over 8 yearswell, I would then first upgrade everything, centos 6.5 is quite old now (6.7 has been out for a while); who knows, maybe some bugs have been solved in opendkim since then. And I would just try using a tcp socket which many people (including me) know works. Good luck.
-
Mike Purcell almost 8 yearsA tcp socket was not a good solution? You mean a unix socket? The socket is faster than tcp port b/c you don't have to involve all the tcp overhead.
-
Jacob Evans almost 8 yearsCorrect, I'll clarify the wording -
lkraav about 6 yearsOn Gentoo, the systemd unit overrides the
UserIDsetting. -
mc0e about 5 yearsbetter yet is to add postfix to the opendkim group.
-
Dominic P almost 5 yearsThanks for sharing. I had the same problem. I used
systemctl edit opendkimto create an override for the unit file that set the appropriate permissions on the/var/run/opendkimdirectory.
