20

I am trying to set up opendkim on Debian stretch but I fail at changing the socket. I want to change the socket to /var/spool/postfix/opendkim/opendkim.sock so I can use it with postfix.

I have added Socket local:/var/spool/postfix/opendkim/opendkim.sock to /etc/opendkim.conf

and also tried adding SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock to /etc/default/opendkim (which I had to create).

No matter what I change or how often I restart opendkim, it always uses /var/run/opendkim/opendkim.sock as its socket.

➜  ~ netstat -a | fgrep LISTEN | grep open
unix  2      [ ACC ]     STREAM     LISTENING     5534128  /var/run/opendkim/opendkim.sock

➜  ~ sudo systemctl status opendkim.service

● opendkim.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter
   Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2017-04-30 12:41:54 CEST; 5min ago
     Docs: man:opendkim(8)
           man:opendkim.conf(5)
           man:opendkim-genkey(8)
           man:opendkim-genzone(8)
           man:opendkim-testadsp(8)
           man:opendkim-testkey
           http://www.opendkim.org/docs.html
  Process: 25246 ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock (code=exited, status=0/SUCCESS)
 Main PID: 25248 (opendkim)
    Tasks: 7 (limit: 4915)
   CGroup: /system.slice/opendkim.service
           ├─25248 /usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock
           └─25249 /usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock

Apr 30 12:41:54 vServer systemd[1]: Starting OpenDKIM DomainKeys Identified Mail (DKIM) Milter...
Apr 30 12:41:54 vServer systemd[1]: Started OpenDKIM DomainKeys Identified Mail (DKIM) Milter.
Apr 30 12:41:54 vServer opendkim[25249]: OpenDKIM Filter v2.11.0 starting (args: -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock)

What am I doing wrong? (I guess it's my mistake as I can't find anyone else with the same issue)

UPDATE:

Changing /etc/default/opendkim to SOCKET="inet:8891@localhost" and changing the postfix config to use this socket results in inet:localhost:8891: Connection refused

UPDATE2:

I have now replaced with the file bundled in the debian stretch package:

# Command-line options specified here will override the contents of                                                                                                         
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.                                                                                                       
#DAEMON_OPTS=""                                                                                                                                                             
# Change to /var/spool/postfix/var/run/opendkim to use a Unix socket with                                                                                                   
# postfix in a chroot:                                                                                                                                                      
RUNDIR=/var/spool/postfix/var/run/opendkim                                                                                                                                  
#RUNDIR=/var/run/opendkim                                                                                                                                                   
#                                                                                                                                                                           
# Uncomment to specify an alternate socket                                                                                                                                  
# Note that setting this will override any Socket value in opendkim.conf                                                                                                    
# default:                                                                                                                                                                  
SOCKET=local:$RUNDIR/opendkim.sock                                                                                                                                          
# listen on all interfaces on port 54321:                                                                                                                                   
#SOCKET=inet:54321                                                                                                                                                          
# listen on loopback on port 12345:                                                                                                                                         
#SOCKET=inet:12345@localhost                                                                                                                                                
# listen on 192.0.2.1 on port 12345:                                                                                                                                        
#SOCKET=inet:12345@192.0.2.1                                                                                                                                                
USER=opendkim                                                                                                                                                               
GROUP=opendkim                                                                                                                                                              
PIDFILE=$RUNDIR/$NAME.pid                                                                                                                                                   
EXTRAAFTER=   

The includes the following lines where the socket is decided:

if [ -f /etc/opendkim.conf ]; then                                                                                                                                          
    CONFIG_SOCKET=`awk '$1 == "Socket" { print $2 }' /etc/opendkim.conf`                                                                                                    
fi                                                                                                                                                                          

# This can be set via Socket option in config file, so it's not required                                                                                                    
if [ -n "$SOCKET" -a -z "$CONFIG_SOCKET" ]; then                                                                                                                            
    DAEMON_OPTS="-p $SOCKET $DAEMON_OPTS"                                                                                                                                   
fi
sanmai
  • 521
  • 5
  • 19
lw1.at
  • 671
  • 1
  • 5
  • 11
  • "so I can use it with postfix" Are you sure that you need this in order to make it work with Postfix? – Miloš Đakonović Apr 30 '17 at 11:05
  • @Miloshio I thought so as postfix runs in a chroot. (According to [the tutorial I am following](https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8)) – lw1.at Apr 30 '17 at 11:07
  • @Miloshio postfix claims `connect to Milter service local:/var/run/opendkim/opendkim.sock: No such file or directory` even thought it exists as it is chrooted to `/var/spool/postfix/` – lw1.at Apr 30 '17 at 11:10
  • It sounds like it is not chrooted. Please could you check again? Your paths should look like `/var/spool/postfix/var/run...` if it is – Miloš Đakonović Apr 30 '17 at 11:13
  • In any scenario, I would use `inet` instead of `local`. Maybe, if you are not debugging down service, try to implement: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy – Miloš Đakonović Apr 30 '17 at 11:15
  • I don't think that postfix is the issue. I have also tested `/opendkim/opendkim.sock`. But `/var/spool/postfix/opendkim/opendkim.sock` doesn't get created. And when I am using `SOCKET="inet:8891@localhost"` the it also doesn't work. – lw1.at Apr 30 '17 at 11:19

8 Answers8

36

I finally found the solution.

The /etc/init.d/opendkim doesn't seem to do anything. But instead the servicefile /lib/systemd/system/opendkim.service is used which had the wrong socket hardcoded.

But the debian package also seems to include a bash that generates the correct systemd service.

So after running

/lib/opendkim/opendkim.service.generate
systemctl daemon-reload
service opendkim restart

and restarting opendkim the socket file appears in the expected place, which can be verified by calling:

tail /var/log/mail.log | grep OpenDKIM

Update: It seems there is an debian bugreport about this issue: #861169

Update 2021:

As this question is still read quite often, I want to make everyone aware of the recent NEWS entry:

[...]

We remind users that opendkim is best configured by editing /etc/opendkim.conf. The legacy defaults file at /etc/default/opendkim is still available, as is the script /lib/opendkim/opendkim.service.generate. However, these provide no additional value over the default configuration file /etc/opendkim.conf. Please take this opportunity to review your configuration setup.

Also beginning with Debian Bullseye the /etc/default/opendkim starts with:

# NOTE: This is a legacy configuration file. It is not used by the opendkim
# systemd service. Please use the corresponding configuration parameters in
# /etc/opendkim.conf instead.
#
# Previously, one would edit the default settings here, and then execute
# /lib/opendkim/opendkim.service.generate to generate systemd override files at
# /etc/systemd/system/opendkim.service.d/override.conf and
# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now
# recommended to adjust the settings directly in /etc/opendkim.conf.
lw1.at
  • 671
  • 1
  • 5
  • 11
2

I don't have enough reputation to comment and wanted to acknowledge that after hours of searching for a solution to the OpenDKim-Postfix 'connection refused' error message, the /lib/systemd/system/opendkim.service edit provided by LocutusBE worked with Ubuntu 17.04:

warning: connect to Milter service inet:localhost:8891: Connection refused

edit /lib/systemd/system/opendkim.service

change:

ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock

to:

ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock -p inet:12301@localhost

systemctl daemon-reload

and

systemctl opendkim restart

Before attempting the edit I added the postfix user to the opendkim group and tried /lib/opendkim/opendkim.service.generate per Lukas Winkler's solution. The connection refused error persisted until the port number was added to /lib/systemd/system/opendkim.service.

To update /lib/systemd/system/opendkim.service, I used port 8891 for Ubuntu and commented out the original ExecStart line for testing purposes, then added a new line with port #:

/lib/systemd/system/opendkim.service (Service category):

    [Service]
    Type=forking
    PIDFile=/var/run/opendkim/opendkim.pid
    User=opendkim
    UMask=0007
    #ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock
    ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock -p inet:8891@localhost
    Restart=on-failure
    ExecReload=/bin/kill -USR1 $MAINPID

The matching port number was additionally specified in /etc/opendkim.conf:

Socket                  inet:8891@localhost

And /etc/postfix/main.cf:

smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

After restarting the systemctl daemon, opendkim, and postfix, outgoing mail was signed without issue and the mail log showed "DKIM-Signature field added".

systemctl daemon-reload
systemctl opendkim restart
systemctl postfix restart

There was no connection issue when configuring OpenDkim with Centos7 recently, so apparently in this instance it was Ubuntu-related. Thanks to Lukas Winkler for posting the question and those who shared their solutions.

glts
  • 681
  • 4
  • 14
1keown
  • 29
  • 2
1

I was stuck in that for hours until understanding what happens, using that conf:

> nocomment.sh /etc/default/opendkim 
RUNDIR=/var/spool/postfix/var/run/opendkim
SOCKET=local:$RUNDIR/$NAME.sock"
USER=opendkim
GROUP=opendkim
PIDFILE=$RUNDIR/$NAME.pid
EXTRAAFTER=

The problem is that logs don't show you that opendkim can't access to the sockets due to simple file access rights.

To correct that:

  1. Add opendkim to postfix group (and not the contrary as I read somewhere)

  2. chown postfix:root -R /var/spool/postfix/var/

  3. verify that :

    $ ll /var/spool/postfix/var/run/opendkim/
    total 4
    -rw-rw---- 1 postfix root 6 avril 13 11:50 opendkim.pid
    srwxrwxr-x 1 postfix root 0 avril 13 11:50 opendkim.sock
    

I wrote some little reminder about OPENDKIM on DEBIAN BUSTER. Hope that may help

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
kmchen
  • 39
  • 4
1

In order to use inet socket you need to specify:

SOCKET="inet:12301@localhost" to /etc/default/opendkim

also, you need to change settings in Postfix consequently:

in /etc/postfix/main.cf add:

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

if you cannot set local to desired path, I would suggest you to:

  • grab a log from mail, syslog or opendkim in /var/log and check

  • check /etc/init.d/opendkim script and inspect if sock file is hard-set to a value

  • try to go with default local:/var/run/opendkim/opendkim.sock - and specify smtpd_milters = local:/var/run/opendkim/opendkim.sock and non_smtpd_milters = local:/var/run/opendkim/opendkim.sock in /etc/postfix/main.cf

Miloš Đakonović
  • 640
  • 3
  • 9
  • 28
  • I have now changed the config to be exactly like yours (same port) but I still get `warning: connect to Milter service inet:localhost:12301: Connection refused` – lw1.at Apr 30 '17 at 11:29
  • did you try to restart both services after editing? – Miloš Đakonović Apr 30 '17 at 11:32
  • I did and now I also rebooted. When looking at mail.log I always see the following line `OpenDKIM Filter v2.11.0 starting (args: -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock)` – lw1.at Apr 30 '17 at 11:38
  • You see that line even with `SOCKET="inet:12301@localhost` set to opendkim conf file? – Miloš Đakonović Apr 30 '17 at 11:43
  • thanks for the ideas. I found the solution (there's something odd with the debian package) – lw1.at Apr 30 '17 at 12:10
  • 2
    opendkim ignores /etc/default/opendkim socket setting - for now we have to change /etc/opendkim.conf – SledgehammerPL Mar 17 '19 at 09:06
1

This worked for me:

edit /lib/systemd/system/opendkim.service

change:

ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock

to:

ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock -p inet:12301@localhost

systemctl daemon-reload

and

systemctl opendkim restart
peterh
  • 4,914
  • 13
  • 29
  • 44
LocutusBE
  • 11
  • 1
0

OpenDKIM worked until I upgraded my server. OpenDKIM wouldn't start and there was no socket running for the Milter to conenct to. In /var/log/syslog I could see that opendkim failed trying to create a socket the different place than before the upgrade. I tried to edit the socket settings in /etc/opendkim.conf, /etc/default/opendkim and /lib/systemd/system/opendkim.service but it didn't help. Turns out that the info was in front of my the whole time:

opendkim.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter 
Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)   
Drop-In: /etc/systemd/system/opendkim.service.d
           └─override.conf    
Active: active (running) since Sat 2017-10-14 16:03:45 CEST; 4h 44min ago

I noticed the settings was overwritten by the "override.conf" file and edited so it was aligned with my /etc/postfix/main.cf (runs as chroot):

smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = local:/opendkim/opendkim.sock

Edit /etc/systemd/system/opendkim.service.d/override.conf

[Service]
PIDFile=/var/spool/postfix/opendkim/opendkim.pid
ExecStart=
ExecStart=/usr/sbin/opendkim -P /var/spool/postfix/opendkim/opendkim.pid -p local:/var/spool/postfix/opendkim/opendkim.sock

And finally restarting the daemon and opendkim:

systemctl daemon-reload && systemctl restart opendkim
lallepot
  • 3
  • 1
  • 4
0

I just renamed /etc/systemd/system/opendkim.service.d/override.conf to /etc/systemd/system/opendkim.service.d/override.conf.old so that it won't override ExecStart parameters.

Everything is working fine picking config from /etc/opendkim.conf

0

My opendkim service didn't wake up on port 8100 after installation and previous solutions didn't help. So I tryed

/lib/opendkim/opendkim.service.generate

with said

-bash: /lib/opendkim/opendkim.service.generate: No such file or directory

so I looked at service file

cat /lib/systemd/system/opendkim.service
# If you are using OpenDKIM with SQL datasets it might be necessary to start OpenDKIM after the database servers.
# For example, if using both MariaDB and PostgreSQL, change "After=" in the "[Unit]" section to:
# After=network.target nss-lookup.target syslog.target mariadb.service postgresql.service

[Unit]
Description=DomainKeys Identified Mail (DKIM) Milter
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target

[Service]
Type=forking
EnvironmentFile=-/etc/default/opendkim
PIDFile=/var/run/opendkim/opendkim.pid
PermissionsStartOnly=true
User=opendkim
Group=opendkim
ExecStartPre=-/bin/mkdir -p /var/run/opendkim
ExecStartPre=-/bin/chown opendkim.opendkim /var/run/opendkim
ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p $SOCKET $DAEMON_OPTS
TimeoutStartSec=10
ExecReload=/bin/kill -USR1 $MAINPID

and found strange paths

EnvironmentFile=-/etc/default/opendkim
ExecStartPre=-/bin/mkdir -p /var/run/opendkim
ExecStartPre=-/bin/chown opendkim.opendkim /var/run/opendkim

and command

 /usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p $SOCKET $DAEMON_OPTS

said

/usr/sbin/opendkim: option requires an argument -- 'p'

(look to 2nd line on previous quota) so I went to

sudo nano /lib/systemd/system/opendkim.service

and deleted " - " 3 times Then

sudo systemctl daemon-reload
sudo service opendkim restart
sudo netstat -tulpn

That helped me :-)