Postfix - Opendkim - Unable to connect to local socket

Question

I am getting denied errors when postfix tries to connect to the unix socket for opendkim, actual error:

Sep 24 15:41:43 service-a-4 postfix/cleanup[17414]: warning: connect to Milter service unix:var/run/opendkim/opendkim.sock: Permission denied

According to postfix docs, postfix is run in "chroot mode" by default, so postfix is locked down to /var/spool/postfix/, and according to the postfix docs, if running in "chroot mode", all milter (socket) references are relative (to /var/spool/postfix).

So my configs look like:

# /etc/opendkim.conf
Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock

# /etc/postfix/main.cf
smtpd_milters = unix:/var/run/opendkim/opendkim.sock

Now when I try to send a test email I get the permission denied error, so I tried a few permission tests:

# Correctly lists the socket file
sudo su -s /bin/bash postfix -c "ls /var/spool/postfix/var/run/opendkim/opendkim.sock"

But when I try to connect as postfix, nothing happens:

# Does not work
sudo su -s /bin/bash postfix -c "nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock"

# Does work (as root)
nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock

SELinux is temporarily disabled (permissive) whilst debugging this sitch. And I am restarting both processes (opendkim and postfix) after every config change.

What else am I missing?

Versions:

CentOS 6.5
Postfix v2.6.6
Opendkim v2.9

score 7 · Accepted Answer · answered Sep 27 '15 at 11:41

7

Tested on my CentOS6 that postfix seems not really "chrooted".
My setting:

# /etc/opendkim.conf
Socket local:/var/run/opendkim/opendkim.sock

# /etc/postfix/main.cf
smtpd_milters = unix:/var/run/opendkim/opendkim.sock

This will produce: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied.
However, the socket umask is 002, result in srwxrwxr-x. opendkim:opendkim opendkim.sock.

Changing the umask to 000 solves the problem. Still, it's better to have opendkim switch user:group than just open to the world.

Environment:

centos 6.5 2.6.32-573.7.1.el6.x86_64
postfix 2.6.6-6.el6_5 @updates
opendkim 2.10.3-1.el6 @epel

answered Sep 27 '15 at 11:41

atitan

121
1

Switch user group? – Mike Purcell Sep 27 '15 at 14:58
2

Use "UserID" setting in opendkim.conf. e.g. `UserID opendkim:postfix` – atitan Sep 27 '15 at 17:27
Gotcha.. I'll give her a go. – Mike Purcell Sep 27 '15 at 18:31
1

On Gentoo, the systemd unit overrides the `UserID` setting. – lkraav Apr 25 '18 at 21:49
better yet is to add postfix to the opendkim group. – mc0e Apr 04 '19 at 13:05

Jacob Evans · Answer 2 · 2016-07-26T21:11:05.057

3

For those that find this and the issue is not resolve with the above answers, my issue was group execute permissions missing on the opendkim socket folder /var/run/opendkim/

I added a cron @reboot to ensure group permissions were set @reboot root chmod g+x /var/run/opendkim/

Fixes/patches the following warning from returning after a reboot.

warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied

A tcp connection was not a good solution for me as I sign 100k+ emails per hour.

edited Jul 26 '16 at 21:11

answered Jul 26 '16 at 16:47

Jacob Evans

7,886
3
29
57

A tcp socket was not a good solution? You mean a unix socket? The socket is faster than tcp port b/c you don't have to involve all the tcp overhead. – Mike Purcell Jul 26 '16 at 21:08
Correct, I'll clarify the wording – Jacob Evans Jul 26 '16 at 21:10
1

Thanks for sharing. I had the same problem. I used `systemctl edit opendkim` to create an override for the unit file that set the appropriate permissions on the `/var/run/opendkim` directory. – Dominic P Jun 17 '19 at 20:05

score 1 · Answer 3 · answered Sep 25 '15 at 12:31

1

IIRC, postfix in centos 6 does not run chrooted in its standard config. When I configured opendkim from epel it came with this config:

Socket                  inet:8891@localhost

so enabling it in postfix was just a matter of adding this to main.cf:

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

en restarting both opendkim en postfix after properly configuring the keys, TrustedHosts, SigningTable, Keytable and publishing the txt records to dns.

O, and I forgot: postfix should be member of the opendkim group as well.

answered Sep 25 '15 at 12:31

natxo asenjo

5,739
2
26
27

1

Thx for the response, but inet:8891 is not a unix socket, it's a tcp port. And I do believe that postfix is chrooted b/c according to the postfix docs, postfix defaults to chroot, and I did not overwrite that value, which is proven by the fact that postfix is run out of /var/spool/postfix, – Mike Purcell Sep 25 '15 at 15:56
1

to find if any postfix daemon is chrooted look in master.cf. the standard line for smtp is: smtp inet n - n - - smtpd; if you read man 5 master, you will see that default is y, but centos has chosen to put an n there. So maybe your postfix is chrooted, but standard centos are not (just checked both 6 and 7 installations). – natxo asenjo Sep 25 '15 at 20:09
Ok that makes sense then, but still doesn't explain why I can't connect to the local unix socket. – Mike Purcell Sep 25 '15 at 21:55
3

is postfix member of the opendkim group? – natxo asenjo Sep 25 '15 at 22:02
Ya I added postfix to opendkim group per some suggestions via googling but to no avail. Going to try @atitan's suggestion. – Mike Purcell Sep 27 '15 at 18:31
well, I would then first upgrade everything, centos 6.5 is quite old now (6.7 has been out for a while); who knows, maybe some bugs have been solved in opendkim since then. And I would just try using a tcp socket which many people (including me) know works. Good luck. – natxo asenjo Sep 27 '15 at 18:48

score 0 · Answer 4 · answered Jul 27 '23 at 13:58

For postfix and opendkim to communicate via unix sockets, opendkim must be able to create the socket, and postfix must be able to read the socket.

In Debian, postfix runs as chroot /var/spool/postfix, so one possible setup is:

/etc/opendkim.conf:
Socket                  local:/var/spool/postfix/opendkim/opendkim.sock

/etc/postfix/main.cf:
smtpd_milters = unix:opendkim/opendkim.sock

/var/spool/postfix/opendkim must exist and should be owned by opendkim:

drwxr-xr-x 2 opendkim opendkim 4096 Jul 27 15:22 opendkim/

This should enable opendkim to create the socket and postfix to access the directory, but postfix still cannot read the socket:

srwxrwx--- 1 opendkim opendkim 0 Jul 27 15:22 opendkim.sock=

You can either put the socket in the postfix group:

/etc/opendkim.conf:
UserID                  opendkim:postfix

srwxrwx--- 1 opendkim postfix 0 Jul 27 15:43 opendkim.sock=

or put postfix in the opendkim group:

$ usermod -a -G opendkim postfix

Either should give postfix the correct permissions. Now postfix should be able to sign messages. Different distros may work slightly differently, but that should give you a start.

Theoretically, you could also change the opendkim umask to 002, but that would make the socket world readable, which is probably a security issue, so I would recommend against that.

Postfix - Opendkim - Unable to connect to local socket

4 Answers4