openDKIM breaks email forwarding

Question

After moving our server over to Postfix, I have decided to implement DKIM using OpenDKIM. I have been successfully able to install and run this, but while it is enabled as a milter, all mail forwarding on the server becomes broken.

For example, if I create a mailbox under james@example.com and set it to forward to another address (external and internal are affected equally), the original sender received a message similar to the one below:

This is the mail system at host server.example.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

    The mail system

<accounttobeforwardedto@example.com>: Command rejected

Final-Recipient: rfc822; accounttobeforwardedto@example.com
Action: failed
Status: 5.7.1
Diagnostic-Code: X-Postfix; Command rejected

Does anyone have any suggestions or experience? I am fairly familiar with qMail but have not got a huge amount of experience with Postfix and as this is a production server I would prefer not to break things without advice.

The issue is resolved when the following lines are commented out of /etc/postfix.main.cf

### custom ###
# OpenDKIM
#milter_default_action = accept
#milter_protocol = 6
#smtpd_milters = , inet:127.0.0.1:8891, inet:127.0.0.1:12768
#non_smtpd_milters = , inet:127.0.0.1:8891, inet:127.0.0.1:12768

Here are the corresponding maillog errors (these appear when the /etc/postfix.main.cf code as above is uncommented:

Sep  8 10:09:09 server postfix/cleanup[24811]: BD99260811C5: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Command rejected; from=<originalsender@gmail.com> to=<forwardaddress@gmail.com>
Sep  8 10:09:09 server postfix/cleanup[24811]: BD99260811C5: to=<forwardaddress@gmail.com>, relay=none, delay=0.22, delays=0.22/0/0/0, dsn=5.7.1, status=bounced (Command rejected)

Here the service who listen on port 8891 and 12768 respectively.

[root@server ~]# netstat -anp|grep :8891
tcp     0   0 127.0.0.1:8891     0.0.0.0:*   EN      25137/opendkim
[root@server ~]# netstat -anp|grep :12768
tcp     0   0 127.0.0.1:12768    0.0.0.0:*   EN      33037/psa-pc-remote

The full configuration file opendkim.conf can be found in here. The below code was trimmed version of it.

$ egrep -v '^#' opendkim.conf | egrep -v '$^'
PidFile /var/run/opendkim/opendkim.pid
Mode    sv
SendReports yes
SoftwareHeader  yes
Canonicalization    relaxed/relaxed
Selector    default
MinimumKeyBits  1024
KeyFile /etc/opendkim/keys/default.private
Syslog yes
SyslogSuccess yes
LogWhy yes
UMask 002
OversignHeaders From
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
SignatureAlgorithm rsa-sha256
AutoRestart Yes
UserID opendkim:opendkim
Socket inet:8891@localhost

Answer 1

From what I see, it appears your mails are rejected due to one of your milter failing to process postfix's commands. This is not a problem with postfix, but one of your milter not behaving properly.

In your conf, two milters are defined:

• One one port 8891, which is opendkim
• One one port 12768, which is psa-pc-remote

Note that the two milters are cumulative, and that we don't actually know which one is causing the fail. However, it seems likely to me that it's the later one, as you don't seem to be the first experiencing problems with it. See this question for instance.

Unless you need psa-pc-remote for some reason, you can consider disabling this milter and only keeping opendkim. Otherwise, the solution is outside my area of expertise, and all I can advise you is to add a plesk tag to your question and to try to contact plesk's support.