Can't change OpenDKIM socket in Debian stretch in /etc/default/opendkim
I am trying to set up opendkim on Debian stretch but I fail at changing the socket. I want to change the socket to /var/spool/postfix/opendkim/opendkim.sock so I can use it with postfix.
I have added Socket local:/var/spool/postfix/opendkim/opendkim.sock to /etc/opendkim.conf
and also tried adding SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock to /etc/default/opendkim (which I had to create).
No matter what I change or how often I restart opendkim, it always uses /var/run/opendkim/opendkim.sock as its socket.
➜ ~ netstat -a | fgrep LISTEN | grep open
unix 2 [ ACC ] STREAM LISTENING 5534128 /var/run/opendkim/opendkim.sock
➜ ~ sudo systemctl status opendkim.service
● opendkim.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter
Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2017-04-30 12:41:54 CEST; 5min ago
Docs: man:opendkim(8)
man:opendkim.conf(5)
man:opendkim-genkey(8)
man:opendkim-genzone(8)
man:opendkim-testadsp(8)
man:opendkim-testkey
http://www.opendkim.org/docs.html
Process: 25246 ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock (code=exited, status=0/SUCCESS)
Main PID: 25248 (opendkim)
Tasks: 7 (limit: 4915)
CGroup: /system.slice/opendkim.service
├─25248 /usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock
└─25249 /usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock
Apr 30 12:41:54 vServer systemd[1]: Starting OpenDKIM DomainKeys Identified Mail (DKIM) Milter...
Apr 30 12:41:54 vServer systemd[1]: Started OpenDKIM DomainKeys Identified Mail (DKIM) Milter.
Apr 30 12:41:54 vServer opendkim[25249]: OpenDKIM Filter v2.11.0 starting (args: -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock)
What am I doing wrong? (I guess it's my mistake as I can't find anyone else with the same issue)
UPDATE:
Changing /etc/default/opendkim to SOCKET="inet:8891@localhost" and changing the postfix config to use this socket results in inet:localhost:8891: Connection refused
UPDATE2:
I have now replaced with the file bundled in the debian stretch package:
# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
#DAEMON_OPTS=""
# Change to /var/spool/postfix/var/run/opendkim to use a Unix socket with
# postfix in a chroot:
RUNDIR=/var/spool/postfix/var/run/opendkim
#RUNDIR=/var/run/opendkim
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
SOCKET=local:$RUNDIR/opendkim.sock
# listen on all interfaces on port 54321:
#SOCKET=inet:54321
# listen on loopback on port 12345:
#SOCKET=inet:12345@localhost
# listen on 192.0.2.1 on port 12345:
#SOCKET=inet:[email protected]
USER=opendkim
GROUP=opendkim
PIDFILE=$RUNDIR/$NAME.pid
EXTRAAFTER=
The includes the following lines where the socket is decided:
if [ -f /etc/opendkim.conf ]; then
CONFIG_SOCKET=`awk '$1 == "Socket" { print $2 }' /etc/opendkim.conf`
fi
# This can be set via Socket option in config file, so it's not required
if [ -n "$SOCKET" -a -z "$CONFIG_SOCKET" ]; then
DAEMON_OPTS="-p $SOCKET $DAEMON_OPTS"
fi
Solution 1:
I finally found the solution.
The /etc/init.d/opendkim doesn't seem to do anything. But instead the servicefile /lib/systemd/system/opendkim.service is used which had the wrong socket hardcoded.
But the debian package also seems to include a bash that generates the correct systemd service.
So after running
/lib/opendkim/opendkim.service.generate
systemctl daemon-reload
service opendkim restart
and restarting opendkim the socket file appears in the expected place, which can be verified by calling:
tail /var/log/mail.log | grep OpenDKIM
Update: It seems there is an debian bugreport about this issue: #861169
Update 2021:
As this question is still read quite often, I want to make everyone aware of the recent NEWS entry:
[...]
We remind users that opendkim is best configured by editing /etc/opendkim.conf. The legacy defaults file at /etc/default/opendkim is still available, as is the script /lib/opendkim/opendkim.service.generate. However, these provide no additional value over the default configuration file /etc/opendkim.conf. Please take this opportunity to review your configuration setup.
Also beginning with Debian Bullseye the /etc/default/opendkim starts with:
# NOTE: This is a legacy configuration file. It is not used by the opendkim
# systemd service. Please use the corresponding configuration parameters in
# /etc/opendkim.conf instead.
#
# Previously, one would edit the default settings here, and then execute
# /lib/opendkim/opendkim.service.generate to generate systemd override files at
# /etc/systemd/system/opendkim.service.d/override.conf and
# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now
# recommended to adjust the settings directly in /etc/opendkim.conf.
Solution 2:
I don't have enough reputation to comment and wanted to acknowledge that after hours of searching for a solution to the OpenDKim-Postfix 'connection refused' error message, the /lib/systemd/system/opendkim.service edit provided by LocutusBE worked with Ubuntu 17.04:
warning: connect to Milter service inet:localhost:8891: Connection refused
edit
/lib/systemd/system/opendkim.servicechange:
ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sockto:
ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock -p inet:12301@localhost systemctl daemon-reloadand
systemctl opendkim restart
Before attempting the edit I added the postfix user to the opendkim group and tried /lib/opendkim/opendkim.service.generate per Lukas Winkler's solution. The connection refused error persisted until the port number was added to /lib/systemd/system/opendkim.service.
To update /lib/systemd/system/opendkim.service, I used port 8891 for Ubuntu and commented out the original ExecStart line for testing purposes, then added a new line with port #:
/lib/systemd/system/opendkim.service (Service category):
[Service]
Type=forking
PIDFile=/var/run/opendkim/opendkim.pid
User=opendkim
UMask=0007
#ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock
ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock -p inet:8891@localhost
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID
The matching port number was additionally specified in /etc/opendkim.conf:
Socket inet:8891@localhost
And /etc/postfix/main.cf:
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
After restarting the systemctl daemon, opendkim, and postfix, outgoing mail was signed without issue and the mail log showed "DKIM-Signature field added".
systemctl daemon-reload
systemctl opendkim restart
systemctl postfix restart
There was no connection issue when configuring OpenDkim with Centos7 recently, so apparently in this instance it was Ubuntu-related. Thanks to Lukas Winkler for posting the question and those who shared their solutions.