0

The following error impeded the restart of opendkim

× opendkim.service - OpenDKIM Milter
     Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sat 2023-04-22 08:00:27 UTC; 2s ago
[...]    Process: 2295 ExecStart=/usr/sbin/opendkim (code=exited, status=78)
opendkim.service: Control process exited, code=exited, status=78/CONFIG

Attempting to consult the (unencrypted, and possibly not updated) documentation, nothing was found regarding status=78.
But clearly the milter configurations are incorrect somehow. /etc/postfix/main.cf defines:

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

whereas /etc/opendkim.conf has

Syslog                  yes
SyslogSuccess           yes
LogWhy                  yes

Canonicalization        relaxed/simple
Mode                    sv
SubDomains              no
OversignHeaders         From

UserID                  opendkim
UMask                   007

Socket                  local:/var/spool/postfix/opendkim/opendkim.sock

#Nameservers            127.0.0.1
AutoRestart                     yes
AutoRestartRate                 10/1M
Background                      yes
DNSTimeout                      5
SignatureAlgorithm              rsa-sha256

ExternalIgnoreList      refile:/etc/opendkim/trusted.hosts
InternalHosts           refile:/etc/opendkim/trusted.hosts
KeyTable                refile:/etc/opendkim/key.table
SigningTable            refile:/etc/opendkim/signing.table

PidFile                 /var/run/opendkim/opendkim.pid
# UserID                  opendkim:opendkim

I noticed the following:
• the opendkim config originally referenced ExternalIgnoreList refile:/etc/opendkim/TrustedHosts whereas the existing file is /etc/opendkim/trusted.hosts. This repeats for the whole block. The whole block was amended to the lower case dot-separaated file names and the service then restarts.

However, emails, while being sent get logged by postfix with: warning: connect to Milter service local:opendkim/opendkim.sock: No such file or directory

cd /var/spool/postfix/opendkim
-bash: cd: /var/spool/postfix/opendkim: No such file or directory

I also see no pid file in /var/run/opendkim/

There are probably a few things wrong here between the postfix smtpd_milters = local:opendkim/opendkim.sock configuration and the opendkim Socket definition. What needs to be changed?

Update
warning: connect to Milter service local:opendkim/opendkim.sock: Permission denied is still in the mail logs, thus that element of configuration is wrong.

changing the setting in postfix/main.cf to

smtpd_milters = local:/var/spool/postfix/opendkim/opendkim.sock

results in: warning: connect to Milter service local:/var/spool/postfix/opendkim/opendkim.sock: No such file or directory. The existence of /var/spool/postfix/opendkim/opendkim.sock is verified.

Jerome
  • 207
  • 1
  • 8
  • What OS are you using? – Paul Apr 22 '23 at 11:35
  • Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-70-generic x86_64) – Jerome Apr 22 '23 at 12:02
  • The `main.cf` use of `local` I didn't see documented in `smtpd`, and in my servers I use the documented `unix`: `smtpd_milters = unix:opendkim/opendkim.sock`, but I don't know if this fixes anything for you. – Paul Apr 22 '23 at 12:20
  • Alas, `warning: connect to Milter service unix:/var/spool/postfix/opendkim/opendkim.sock: No such file or directory` – Jerome Apr 22 '23 at 14:01
  • ... and `warning: connect to Milter service unix:opendkim/opendkim.sock: Permission denied` what directory would ` unix:opendkim/` refer to? that directory does not exists at root level. – Jerome Apr 22 '23 at 14:07

2 Answers2

2

While that is the path where the socket lies on the system, that is not the path chrooted smtpd instances will see it at:

smtpd_milters = local:/var/spool/postfix/opendkim/opendkim.sock

Postfix smtpd wants a path relative to the chroot directory, it does not know about the /var/spool/postfix/ path after start.

smtpd_milters = unix:opendkim/opendkim.sock

You can find the details in /usr/share/doc/postfix/MILTER_README and man 5 master, just quoting the key info here, emphasis mine:

If the smtpd(8) or cleanup(8) process runs chrooted, an absolute pathname is interpreted relative to the Postfix queue directory. On many systems, local is a synonym for unix

anx
  • 8,963
  • 5
  • 24
  • 48
0

Partial solution

sudo chown opendkim:postfix /var/spool/postfix/opendkim was required to give postfix the permissions to create opendkim.sock

and while opendkim.service: Can't open PID file /run/opendkim/opendkim.pid (yet?) after start: Operation not permitted occured it was temporary

Started OpenDKIM Milter. follwoed shortly thereafter and /run/opendkim/opendkim.pid was effectively created an opendkim.pid owned by root.

Jerome
  • 207
  • 1
  • 8