Postfix - Opendkim - Unable to connect to local socket

I am getting denied errors when postfix tries to connect to the unix socket for opendkim, actual error:

Sep 24 15:41:43 service-a-4 postfix/cleanup[17414]: warning: connect to Milter service unix:var/run/opendkim/opendkim.sock: Permission denied

According to postfix docs, postfix is run in "chroot mode" by default, so postfix is locked down to /var/spool/postfix/, and according to the postfix docs, if running in "chroot mode", all milter (socket) references are relative (to /var/spool/postfix).

So my configs look like:

# /etc/opendkim.conf
Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock

# /etc/postfix/main.cf
smtpd_milters = unix:/var/run/opendkim/opendkim.sock

Now when I try to send a test email I get the permission denied error, so I tried a few permission tests:

# Correctly lists the socket file
sudo su -s /bin/bash postfix -c "ls /var/spool/postfix/var/run/opendkim/opendkim.sock"

But when I try to connect as postfix, nothing happens:

# Does not work
sudo su -s /bin/bash postfix -c "nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock"

# Does work (as root)
nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock

SELinux is temporarily disabled (permissive) whilst debugging this sitch. And I am restarting both processes (opendkim and postfix) after every config change.

What else am I missing?

Versions:

CentOS 6.5
Postfix v2.6.6
Opendkim v2.9

Solution 1:

Tested on my CentOS6 that postfix seems not really "chrooted".
My setting:

# /etc/opendkim.conf
Socket local:/var/run/opendkim/opendkim.sock

# /etc/postfix/main.cf
smtpd_milters = unix:/var/run/opendkim/opendkim.sock

This will produce: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied.
However, the socket umask is 002, result in srwxrwxr-x. opendkim:opendkim opendkim.sock.

Changing the umask to 000 solves the problem. Still, it's better to have opendkim switch user:group than just open to the world.

Environment:

centos 6.5 2.6.32-573.7.1.el6.x86_64
postfix 2.6.6-6.el6_5 @updates
opendkim 2.10.3-1.el6 @epel

Solution 2:

For those that find this and the issue is not resolve with the above answers, my issue was group execute permissions missing on the opendkim socket folder /var/run/opendkim/

I added a cron @reboot to ensure group permissions were set @reboot root chmod g+x /var/run/opendkim/

Fixes/patches the following warning from returning after a reboot.

warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied

A tcp connection was not a good solution for me as I sign 100k+ emails per hour.

Solution 3:

IIRC, postfix in centos 6 does not run chrooted in its standard config. When I configured opendkim from epel it came with this config:

Socket                  inet:8891@localhost

so enabling it in postfix was just a matter of adding this to main.cf:

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

en restarting both opendkim en postfix after properly configuring the keys, TrustedHosts, SigningTable, Keytable and publishing the txt records to dns.

O, and I forgot: postfix should be member of the opendkim group as well.