Postfix - Opendkim - Unable to connect to local socket
I am getting denied errors when postfix tries to connect to the unix socket for opendkim, actual error:
Sep 24 15:41:43 service-a-4 postfix/cleanup[17414]: warning: connect to Milter service unix:var/run/opendkim/opendkim.sock: Permission denied
According to postfix docs, postfix is run in "chroot mode" by default, so postfix is locked down to /var/spool/postfix/, and according to the postfix docs, if running in "chroot mode", all milter (socket) references are relative (to /var/spool/postfix).
So my configs look like:
# /etc/opendkim.conf
Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock
# /etc/postfix/main.cf
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
Now when I try to send a test email I get the permission denied error, so I tried a few permission tests:
# Correctly lists the socket file
sudo su -s /bin/bash postfix -c "ls /var/spool/postfix/var/run/opendkim/opendkim.sock"
But when I try to connect as postfix, nothing happens:
# Does not work
sudo su -s /bin/bash postfix -c "nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock"
# Does work (as root)
nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock
SELinux is temporarily disabled (permissive) whilst debugging this sitch. And I am restarting both processes (opendkim and postfix) after every config change.
What else am I missing?
Versions:
CentOS 6.5
Postfix v2.6.6
Opendkim v2.9
Solution 1:
Tested on my CentOS6 that postfix seems not really "chrooted".
My setting:
# /etc/opendkim.conf
Socket local:/var/run/opendkim/opendkim.sock
# /etc/postfix/main.cf
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
This will produce: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied
.
However, the socket umask is 002, result in srwxrwxr-x. opendkim:opendkim opendkim.sock
.
Changing the umask to 000 solves the problem. Still, it's better to have opendkim switch user:group than just open to the world.
Environment:
centos 6.5 2.6.32-573.7.1.el6.x86_64
postfix 2.6.6-6.el6_5 @updates
opendkim 2.10.3-1.el6 @epel
Solution 2:
For those that find this and the issue is not resolve with the above answers, my issue was group execute permissions missing on the opendkim socket folder /var/run/opendkim/
I added a cron @reboot to ensure group permissions were set
@reboot root chmod g+x /var/run/opendkim/
Fixes/patches the following warning from returning after a reboot.
warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied
A tcp connection was not a good solution for me as I sign 100k+ emails per hour.
Solution 3:
IIRC, postfix in centos 6 does not run chrooted in its standard config. When I configured opendkim from epel it came with this config:
Socket inet:8891@localhost
so enabling it in postfix was just a matter of adding this to main.cf:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
en restarting both opendkim en postfix after properly configuring the keys, TrustedHosts, SigningTable, Keytable and publishing the txt records to dns.
O, and I forgot: postfix should be member of the opendkim group as well.