Postfix - Opendkim - Unable to connect to local socket

linux dkim centos postfix opendkim

I am getting denied errors when postfix tries to connect to the unix socket for opendkim, actual error:

Sep 24 15:41:43 service-a-4 postfix/cleanup[17414]: warning: connect to Milter service unix:var/run/opendkim/opendkim.sock: Permission denied

According to postfix docs, postfix is run in "chroot mode" by default, so postfix is locked down to /var/spool/postfix/, and according to the postfix docs, if running in "chroot mode", all milter (socket) references are relative (to /var/spool/postfix).

So my configs look like:

# /etc/opendkim.conf
Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock

# /etc/postfix/main.cf
smtpd_milters = unix:/var/run/opendkim/opendkim.sock

Now when I try to send a test email I get the permission denied error, so I tried a few permission tests:

# Correctly lists the socket file
sudo su -s /bin/bash postfix -c "ls /var/spool/postfix/var/run/opendkim/opendkim.sock"

But when I try to connect as postfix, nothing happens:

# Does not work
sudo su -s /bin/bash postfix -c "nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock"

# Does work (as root)
nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock

SELinux is temporarily disabled (permissive) whilst debugging this sitch. And I am restarting both processes (opendkim and postfix) after every config change.

What else am I missing?

Versions:

CentOS 6.5
Postfix v2.6.6
Opendkim v2.9

Solution 1:

Tested on my CentOS6 that postfix seems not really "chrooted".
My setting:

# /etc/opendkim.conf
Socket local:/var/run/opendkim/opendkim.sock

# /etc/postfix/main.cf
smtpd_milters = unix:/var/run/opendkim/opendkim.sock

This will produce: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied.
However, the socket umask is 002, result in srwxrwxr-x. opendkim:opendkim opendkim.sock.

Changing the umask to 000 solves the problem. Still, it's better to have opendkim switch user:group than just open to the world.

Environment:

centos 6.5 2.6.32-573.7.1.el6.x86_64
postfix 2.6.6-6.el6_5 @updates
opendkim 2.10.3-1.el6 @epel

Solution 2:

For those that find this and the issue is not resolve with the above answers, my issue was group execute permissions missing on the opendkim socket folder /var/run/opendkim/

I added a cron @reboot to ensure group permissions were set @reboot root chmod g+x /var/run/opendkim/

Fixes/patches the following warning from returning after a reboot.

warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied

A tcp connection was not a good solution for me as I sign 100k+ emails per hour.

Solution 3:

IIRC, postfix in centos 6 does not run chrooted in its standard config. When I configured opendkim from epel it came with this config:

Socket                  inet:8891@localhost

so enabling it in postfix was just a matter of adding this to main.cf:

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

en restarting both opendkim en postfix after properly configuring the keys, TrustedHosts, SigningTable, Keytable and publishing the txt records to dns.

O, and I forgot: postfix should be member of the opendkim group as well.

Related

Prevent accidental execution of commands in Linux if pasting text containing one or more return characters
How to bypass cloudflare caching like reddit does
How to make dovecot password independent of server password?
Password replication across AD sites
Merge Logical Volume groups
How to find what processes were running at a time in the past?
why bind9 gives connection refused for permission denied error when it is 777
Ubuntu upgrade from 14.04 LTS to 16.04 failed - mysql-server-5.7 dependecies fail
Partition resize [duplicate]
Ubuntu 17.04 slow boot on SSD with dual boot
Install the correct Nvidia driver version for NVIDIA CUDA Toolkit
HP Pavilion G6 1209 temperature higher than usual and fan working in 11.10