1

I noticed that, while setting up opendkim, the options for the Socket are:

#SOCKET="local:/var/run/opendkim/opendkim.sock" # default
#SOCKET="inet:54321" # listen on all interfaces on port 54321
#SOCKET="inet:12345@localhost" # listen on loopback on port 12345
#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345

What is the difference (if any) between the local:[...].sock socket and the inet:[...]@localhost socket? Do user permissions come into play for one or the other? Is there a security benefit from using one or the other? Are there any functional differences at all?

  • The local: socket is a file which resides on the filesystem and the inet@localhost socket is a network port. Yes. Yes. Probably. But to answer it in the form of an Answer is much more involved. If I'm not mistaken, there's not supposed to be any functional difference between the two, but over a decade ago, they each had a set of quirks due to the parts of the implementations that aren't shared, and it came down to which set of quirks you were more able to handle. That was a decade ago, and I'm out of date on those details now, as there have been many updates since then. – Ed Grimm Feb 04 '19 at 05:04
  • I don't doubt that the answer would be pretty complicated. I consider myself a proficient Googler and couldn't find anything on the subject! –  Feb 04 '19 at 20:51
  • 1
    I think what most people first try the localhost one and see if they can get that to work for them, as there is often at least some desire to be able to expose it to networking, so that you could, for example, have a common milter server that your email servers shared. Or possibly even have load balanced milter servers that your independently load balanced mail servers shared. If the quirks with the localhost socket prove too much, then try the unix socket file to see if it works better. – Ed Grimm Feb 05 '19 at 03:41

1 Answers1

2

Opendkim uses "local:" to refer to a unix domain socket, inet: to refer to an inet domain (ipv4) socket and inet6 to refer to an inet6 domain (ipv6) socket.

Unix domain sockets are local to a single machine and listening unix domain sockets live in the file-system hierarchy. Access can be controlled through file permissions and the server application can check which user has connected (I do not know if opendkim uses this feature). There are also some special features available but I don't think they are relevant here.

inet domain sockets may be bound to either an individual ipv4 address or to the 0.0.0.0 wildcard for all ipv4 addresses assigned to the machine. If it's bound to localhost (127.0.0.1) then it can only be accessed by applications on the same machine, but you can't easily restrict it more than that.

inet6 domain sockets again can be bound to either an individual ipv6 address or bound to the wildcard "::" for all ipv6 addresses assigned to the machine. In some cases (depending on sysctl configuration and socket options used by the application) it is possible for an inet6 socket listening on all interfaces to also accept ipv4 connections.

Peter Green
  • 4,056
  • 10
  • 29