0

On my VPS Debian Jessie, email server Postfix + Dovecot with user and password on MySQL, I've installed OpenDKIM, that use MySQL for keys too. If for some reason the server reboot, I can find every time the OpenDKIM service in status "active (exited)", and the log report:

opendkim: /etc/opendkim.conf: dsn:mysql://NAME-MAILUSER:**PLAINTEXT-PASSWORD**@MYSQL-PORT+127.0.0.1/mailserver/table=virtual_domains?keycol=name?datacol=ID: dkimf_db_open(): Can't connect to MySQL server on '127.0.0.1' (111)

The cause seems to be the connection to the MySQL server

if I restart OpenDKIM, the problem is gone, always.

My questions are two:

  1. is it possible to prevent systemctl from showing the MySQL password in the logs?
  2. make sure that OpenDKIM finds the MySQL server started and correctly reboots (OpenDKIM)? Setting different services priority could solve issue? And which is the best practice in this scenario?

Many thanks!

David

Davide Marchi
  • 11
  • 4

1 Answers1

0

Answer to 2: Making opendkim start after mariadb or mysql:

  mkdir /etc/systemd/system/opendkim.service.d

add into that directory /etc/systemd/system/opendkim.service.d/database-dependency.conf:

  [Unit]
  After=mariadb.service

Note: use mysql.service rather than mariadb.service if that is the service name on your system.

ref: systemd.unit man page

Answer to question 1:

Removing the error might prevent the password entering the log. As far as I know there is no configuration option to remove the password from the log.

An alternative is however to create a database opendkim user that doesn't depend on a password, only that the unix user is also opendkim. This can be done with unix socket authentication.

   INSTALL PLUGIN unix_socket SONAME 'auth_socket';
   ALTER USER opendkim IDENTIFIED VIA unix_socket;

note: ALTER USER is mariadb-10.2+ only. Deleting and recreating the user/grants might be required in earlier versions.

The opendbx dsn that opendkim uses will need to connect to the unix socket rather than a TCP connection. This might just require calling the host localhost however I'm not 100% sure. Also that some postfix processes run in a chroot and thus will be unable to connect to the unix socket without changing the chroot=n in the column in master.cf.

edit: * changed to xxx.conf filename conventions * allowed for mysql or mariadb depending on service used * edit - some postfix processes are chrooted.

danblack
  • 1,249
  • 13
  • 15
  • Hi danblack, I've done as you suggest fot point "2". Rebooted the server the situation seems the same. I've created a file named "opendkim.unit" into "/etc/systemd/system/opendkim.service.d/" with content as you described, but the problem seems not solved. I did something wrong? – Davide Marchi Aug 24 '18 at 12:36
  • take a look at `systemctl status opendkim.service` and `systemctl show opendkim.service`. Try renaming opendkim.unit to opendkim.conf, `systemctl daemon-reload` and look again. – danblack Aug 24 '18 at 13:03
  • I've moved 'opendkim.unit' to 'local.conf', but the problem persisted. I've changed then, 'mariadb.service' to 'mysql.service' and now all seems works fine! Many thanks! :-) – Davide Marchi Aug 24 '18 at 14:40
  • Relating to the question "1" I saw that the password is shown only to the root user so I think it is not necessary to proceed. Thank you so much! – Davide Marchi Aug 24 '18 at 14:42
  • You're welcome. Updated answer based on the added fixes. – danblack Aug 26 '18 at 23:57