Cannot start opendkim service, but command line works fine

Question

Good morning.. I've read about 15 different guides on setup with DKIM and Sendmail signing on ubuntu 18.04 and for some reason I cannot get the service to start, yet command line works fine

/etc/opendkim.conf

AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   002
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
Mode                    sv
PidFile                 /var/mail/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256
UserID                  opendkim:opendkim
Socket                  inet:8891@127.0.0.1

/etc/default/opendkim

# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
#DAEMON_OPTS=""
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
#SOCKET="local:/var/run/opendkim/opendkim.sock"
# listen on all interfaces on port 54321:
#SOCKET="inet:54321"
# listen on loopback on port 12345:
#SOCKET="inet:12345@localhost"
# listen on 192.0.2.1 on port 12345:
#SOCKET="inet:12345@192.0.2.1"
SOCKET="inet:8891@127.0.0.1" # listen on loopback on port 8891

starting the service on the command line gives: root@myserverhostname:/etc/opendkim# systemctl start opendkim.service

Job for opendkim.service failed because the control process exited with error code. See "systemctl status opendkim.service" and "journalctl -xe" for details.

troubleshooting

systemctl status opendkim.service

root@myserverhostname:/etc/opendkim# systemctl status opendkim.service
● opendkim.service - DomainKeys Identified Mail (DKIM) Milter
   Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2020-12-17 09:49:32 PST; 5s ago
     Docs: man:opendkim(8)
           man:opendkim.conf(5)
           man:opendkim-genkey(8)
           man:opendkim-genzone(8)
           man:opendkim-testadsp(8)
           man:opendkim-testkey
           http://www.opendkim.org/docs.html
  Process: 11446 ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p $SOCKET $DAEMON_OPTS (code=exited, status=64)
  Process: 11442 ExecStartPre=/bin/chown opendkim.opendkim /var/run/opendkim (code=exited, status=0/SUCCESS)
  Process: 11439 ExecStartPre=/bin/mkdir -p /var/run/opendkim (code=exited, status=0/SUCCESS)
 Main PID: 13909 (code=exited, status=0/SUCCESS)

Dec 17 09:49:32 myserverhostname.domain.com systemd[1]: Starting DomainKeys Identified Mail (DKIM) Milter...
Dec 17 09:49:32 myserverhostname.domain.com systemd[1]: opendkim.service: Control process exited, code=exited status=64
Dec 17 09:49:32 myserverhostname.domain.com systemd[1]: Failed to start DomainKeys Identified Mail (DKIM) Milter.
Dec 17 09:49:32 myserverhostname.domain.com systemd[1]: opendkim.service: Unit entered failed state.
Dec 17 09:49:32 myserverhostname.domain.com systemd[1]: opendkim.service: Failed with result 'exit-code'.

journalctl -xe

root@myserverhostname:/etc/opendkim# journalctl -xe
Dec 17 09:49:27 myserverhostname.domain.com opendkim[11403]: OpenDKIM Filter: mi_stop=1
Dec 17 09:49:27 myserverhostname.domain.com opendkim[11403]: OpenDKIM Filter v2.10.3 terminating with status 0, errno = 0
Dec 17 09:49:32 myserverhostname.domain.com systemd[1]: Starting DomainKeys Identified Mail (DKIM) Milter...
-- Subject: Unit opendkim.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit opendkim.service has begun starting up.
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]: opendkim: usage: opendkim -p socketfile [options]
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -A                  auto-restart
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -b modes            select operating modes
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -c canon            canonicalization to use when signing
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -d domlist          domains to sign
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -D                  also sign subdomains
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -e name             extract configuration value and exit
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -f                  don't fork-and-exit
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -F time             fixed timestamp to use when signing (test mode only)
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -k keyfile          location of secret key file
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -l                  log activity to system log
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -L limit            signature limit requirements
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -n                  check configuration and exit
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -o hdrlist          list of headers to omit from signing
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -P pidfile          file into which to write process ID
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -q                  quarantine messages that fail to verify
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -Q                  query test mode
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -r                  require basic RFC5322 header compliance
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -s selector         selector to use when signing
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -S signalg          signature algorithm to use when signing
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -t testfile         evaluate RFC5322 message in "testfile"
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -T timeout          DNS timeout (seconds)
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -u userid           change to specified userid
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -v                  increase verbosity during testing
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -V                  print version number and terminate
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -W                  "why?!" mode (log sign/verify decision logic)
Dec 17 09:49:32 myserverhostname.domain.com opendkim[11446]:         -x conffile         read configuration from conffile
Dec 17 09:49:32 myserverhostname.domain.com systemd[1]: opendkim.service: Control process exited, code=exited status=64
Dec 17 09:49:32 myserverhostname.domain.com systemd[1]: Failed to start DomainKeys Identified Mail (DKIM) Milter.
-- Subject: Unit opendkim.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit opendkim.service has failed.
--
-- The result is failed.
Dec 17 09:49:32 myserverhostname.domain.com systemd[1]: opendkim.service: Unit entered failed state.
Dec 17 09:49:32 myserverhostname.domain.com systemd[1]: opendkim.service: Failed with result 'exit-code'.

I can't see exactly what the issue is and why it doesn't start, but when I use the command as shown in the ExecStart lines: (filling in the socket from the config file) it appears to be running twice in the ps list.

root@myserverhostname:/etc/opendkim# /usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p inet:8891@localhost
root@myserverhostname:/etc/opendkim# ps aux | grep opendkim
opendkim 11020  0.0  0.0 114932  3592 ?        Ss   09:31   0:00 /usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p inet:8891@localhost
opendkim 11021  0.0  0.1 354864  9348 ?        Sl   09:31   0:00 /usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p inet:8891@localhost
root     11285  0.0  0.0  12944   864 pts/1    S+   09:43   0:00 grep --color=auto opendkim

Netstat showing correctly, and outgoing email is signed and verified using my Gmail address as a test.

root@myserverhostname:/var/run/opendkim# netstat -nlp | grep 8891
tcp        0      0 127.0.0.1:8891          0.0.0.0:*               LISTEN      11521/opendkim
root@myserverhostname:/var/run/opendkim#


Dec 17 10:04:34 myserverhostname opendkim[11521]: 0BHI4W1k011594: DKIM-Signature field added (s=default, d=myserverhostname.ca)
Dec 17 10:04:34 myserverhostname sm-mta[11594]: 0BHI4W1k011594: Milter insert (1): header: DKIM-Signature:  v=1; a=rsa-sha256; c=relaxed/simple; d=domain.ca;\n\ts=default; t=1608228274;\n\tbh=P8ERRrcY00MFB0/1JAF/I0afn2dfZMmgtMEeTAJNwbQ=;\n\th=From:To:Subject:Date;\n\tb=pe2VvSZZVJDrU5YWvvgV6VuzgkQd7tiypxHHhsUgBUampWu3sw1ezdSHi3wicwGps\n\t TyTxjl4hO1gxw3qXYGvTTqI0S6raI5P0UobSv+OstxgN6l00z5r4PtVfJUPsQUI6mO\n\t vpevQNA/sEPVDPYMV7BnsrGlsxZjPWB+knA/VEGA=



from:   ME <admin@myserverhostname.ca>
to: Dennis Lloyd <me@gmail.com>
date:   Dec 17, 2020, 9:33 AM
subject:    TEST dkim
mailed-by:  myserverhostname.ca
signed-by:  myserverhostname.ca
security:    Standard encryption (TLS) Learn more

I'm very confused, I've tried everything that could find as a suggestion from many different questions asked around the internet (so I hope I didn't leave some lagging incorrect config somewhere) firewall entry was added, I've tried 127.0.0.1 and localhost for the socket as well.

I'm leaning towards a permissions issue, but the user opendkim has permissions to everything it's supposed too. Any suggestions would be most appreciated!

I may be answering my own question. I did come across this: Exit Code Symbolic Name Description 64 EX_USAGE Command line usage error perhaps the exec line is formatted incorrectly.. i'll try some poking around there. — Dennis, Dec 17 '20 at 19:18
Can you check /lib/systemd/system/opendkim.service - it seems opendkim doesn't like the parameters that are passed to it at startup. In most cases you should not need all parameters in the command line. My service is configured with ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf — Dobromir Velev, Dec 17 '20 at 19:22
@DobromirVelev That worked! everything is working as it should now, thank you so much. how do I mark your answer as right.. or upvote here?? — Dennis, Dec 17 '20 at 20:36
I'll have to submit it is an answer, but without more information I really don't know what exactly was wrong - probably it was the commented $DAEMON_OPTS in /etc/default/opendkim . But if it works leave it like that and have a nice day — Dobromir Velev, Dec 18 '20 at 06:32

Cannot start opendkim service, but command line works fine

0 Answers0