postfix: milter-reject: END-OF-MESSAGE from ...: 4.7.1 Service unavailable (opendkim)

postfix opendkim

I configured OpenDkim to work with postfix and I'm getting the following error when I try to send mail out:

postfix/cleanup[11542]: 40F271A291A: milter-reject: END-OF-MESSAGE from ***[***]: 4.7.1 Service unavailable - try again later; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.10]>

I've configured opendkim to use a unix socket, and it's working:

[chazy@mail ~]$ sudo netstat -nalp | grep dkim
unix  2      [ ACC ]     STREAM     LISTENING     144135   11267/opendkim       /run/opendkim/opendkim.sock
unix  3      [ ]         STREAM     CONNECTED     147626   11267/opendkim       /run/opendkim/opendkim.sock
unix  2      [ ]         DGRAM                    144137   11267/opendkim

Opendkim is started by it's own user, as suggested by the Arch wiki (as well as the other security recommendations). The folders are also owned by opendkim:mail.

I'm using the same selector and signing key for all domains, is that a problem?

The postfix configuration is as follows:

# DKIM
milter_default_action = accept
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock

No anti-spam service installed for the moment, just a basic postfix/dovecot/opendkim configuration to test the server.

Opendkim config:

# /etc/opendkim/opendkim.conf

BaseDirectory           /var/lib/opendkim
Canonicalization        relaxed/simple
Domain                  domain1.com domain2.com
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyFile                 /etc/opendkim/201704.private
KeyTable                refile:/etc/opendkim/KeyTable
Selector                201704
SigningTable            refile:/etc/opendkim/SigningTable
Socket                  local:/run/opendkim/opendkim.sock
Syslog                  Yes
TemporaryDirectory      /run/opendkim
UMask                   002
UserID                  opendkim:mail

TrustedHosts config:

# /etc/opendkim/TrustedHosts

# Trusted Hosts List
127.0.0.1
::1
x.x.x.x # Server IP
mail.maindomain.com

# Domains
maindomain.com
domain2.com

Solution 1:

The problem, in my case, was that the signing key file had root owner, so doing:

sudo chown opendkim:mail /etc/opendkim/selector.private

Fixed the problem.

If this is not your problem, don't forget to take a look at the journal, for both! postfix and opendkim (i forgot to lookup opendkim and there it was the error):

journalctl --follow --unit postfix.service --unit opendkim.service

Solution 2:

Try and see if removing the "*@" from your the file you use as your signing table works. This is what was causing it for me, even though I had

SigningTable      refile:<directory to signing table file>

in my opendkim.conf.

Related

Error when running docker build on any dockerfile: "unable to prepare context: unable to evaluate symlinks in Dockerfile path"
GCP Layer3 Load balancer
Unable to Log In to Domain Computers with Spoiled Domain Controller
Installing mysql-devel to match MySQL version
CNAME to an external subdomain? [closed]
Problems with .htaccess rewrite and Ruby on Rails/Redmine
Nginx proxy_pass config
Route traffic to some host in Internet via VPN server
centos 7 cant change ssh port - selinux policy 30 missing
What's the origin of "rob someone blind"?
What line do they refer to in the idiomatic expression "on the line"?
"As I am wo/man" in Twelfth Night, II, 2 (Shakespeare): a case of indefinite article omission or no?