Postfix - Opendkim - Unable to connect to local socket
Solution 1
Tested on my CentOS6 that postfix seems not really "chrooted".
My setting:
# /etc/opendkim.conf
Socket local:/var/run/opendkim/opendkim.sock
# /etc/postfix/main.cf
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
This will produce: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied
.
However, the socket umask is 002, result in srwxrwxr-x. opendkim:opendkim opendkim.sock
.
Changing the umask to 000 solves the problem. Still, it's better to have opendkim switch user:group than just open to the world.
Environment:
centos 6.5 2.6.32-573.7.1.el6.x86_64
postfix 2.6.6-6.el6_5 @updates
opendkim 2.10.3-1.el6 @epel
Solution 2
For those that find this and the issue is not resolve with the above answers, my issue was group execute permissions missing on the opendkim socket folder /var/run/opendkim/
I added a cron @reboot to ensure group permissions were set
@reboot root chmod g+x /var/run/opendkim/
Fixes/patches the following warning from returning after a reboot.
warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied
A tcp connection was not a good solution for me as I sign 100k+ emails per hour.
Solution 3
IIRC, postfix in centos 6 does not run chrooted in its standard config. When I configured opendkim from epel it came with this config:
Socket inet:8891@localhost
so enabling it in postfix was just a matter of adding this to main.cf:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
en restarting both opendkim en postfix after properly configuring the keys, TrustedHosts, SigningTable, Keytable and publishing the txt records to dns.
O, and I forgot: postfix should be member of the opendkim group as well.
Related videos on Youtube
Mike Purcell
We are working on the next big social media project. If you are interested in the project drop me a line @ [email protected].
Updated on September 18, 2022Comments
-
Mike Purcell over 1 year
I am getting denied errors when postfix tries to connect to the unix socket for opendkim, actual error:
Sep 24 15:41:43 service-a-4 postfix/cleanup[17414]: warning: connect to Milter service unix:var/run/opendkim/opendkim.sock: Permission denied
According to postfix docs, postfix is run in "chroot mode" by default, so postfix is locked down to /var/spool/postfix/, and according to the postfix docs, if running in "chroot mode", all milter (socket) references are relative (to /var/spool/postfix).
So my configs look like:
# /etc/opendkim.conf Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock # /etc/postfix/main.cf smtpd_milters = unix:/var/run/opendkim/opendkim.sock
Now when I try to send a test email I get the permission denied error, so I tried a few permission tests:
# Correctly lists the socket file sudo su -s /bin/bash postfix -c "ls /var/spool/postfix/var/run/opendkim/opendkim.sock"
But when I try to connect as postfix, nothing happens:
# Does not work sudo su -s /bin/bash postfix -c "nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock" # Does work (as root) nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock
SELinux is temporarily disabled (permissive) whilst debugging this sitch. And I am restarting both processes (opendkim and postfix) after every config change.
What else am I missing?
Versions:
CentOS 6.5 Postfix v2.6.6 Opendkim v2.9
-
Mike Purcell over 8 yearsThx for the response, but inet:8891 is not a unix socket, it's a tcp port. And I do believe that postfix is chrooted b/c according to the postfix docs, postfix defaults to chroot, and I did not overwrite that value, which is proven by the fact that postfix is run out of /var/spool/postfix,
-
Mike Purcell over 8 yearsOk that makes sense then, but still doesn't explain why I can't connect to the local unix socket.
-
natxo asenjo over 8 yearsis postfix member of the opendkim group?
-
Mike Purcell over 8 yearsSwitch user group?
-
atitan over 8 yearsUse "UserID" setting in opendkim.conf. e.g.
UserID opendkim:postfix
-
Mike Purcell over 8 yearsGotcha.. I'll give her a go.
-
Mike Purcell over 8 yearsYa I added postfix to opendkim group per some suggestions via googling but to no avail. Going to try @atitan's suggestion.
-
natxo asenjo over 8 yearswell, I would then first upgrade everything, centos 6.5 is quite old now (6.7 has been out for a while); who knows, maybe some bugs have been solved in opendkim since then. And I would just try using a tcp socket which many people (including me) know works. Good luck.
-
Mike Purcell almost 8 yearsA tcp socket was not a good solution? You mean a unix socket? The socket is faster than tcp port b/c you don't have to involve all the tcp overhead.
-
Jacob Evans almost 8 yearsCorrect, I'll clarify the wording
-
lkraav about 6 yearsOn Gentoo, the systemd unit overrides the
UserID
setting. -
mc0e about 5 yearsbetter yet is to add postfix to the opendkim group.
-
Dominic P almost 5 yearsThanks for sharing. I had the same problem. I used
systemctl edit opendkim
to create an override for the unit file that set the appropriate permissions on the/var/run/opendkim
directory.