Postfix - Opendkim - Unable to connect to local socket

Question

I am getting denied errors when postfix tries to connect to the unix socket for opendkim, actual error:

Sep 24 15:41:43 service-a-4 postfix/cleanup[17414]: warning: connect to Milter service unix:var/run/opendkim/opendkim.sock: Permission denied

According to postfix docs, postfix is run in "chroot mode" by default, so postfix is locked down to /var/spool/postfix/, and according to the postfix docs, if running in "chroot mode", all milter (socket) references are relative (to /var/spool/postfix).

So my configs look like:

# /etc/opendkim.conf
Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock

# /etc/postfix/main.cf
smtpd_milters = unix:/var/run/opendkim/opendkim.sock

Now when I try to send a test email I get the permission denied error, so I tried a few permission tests:

# Correctly lists the socket file
sudo su -s /bin/bash postfix -c "ls /var/spool/postfix/var/run/opendkim/opendkim.sock"

But when I try to connect as postfix, nothing happens:

# Does not work
sudo su -s /bin/bash postfix -c "nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock"

# Does work (as root)
nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock

SELinux is temporarily disabled (permissive) whilst debugging this sitch. And I am restarting both processes (opendkim and postfix) after every config change.

What else am I missing?

Versions:

CentOS 6.5
Postfix v2.6.6
Opendkim v2.9

score 8 · Answer 1 · answered Jul 27 '23 at 13:58

For postfix and opendkim to communicate via unix sockets, opendkim must be able to create the socket, and postfix must be able to read the socket.

In Debian, postfix runs as chroot /var/spool/postfix, so one possible setup is:

/etc/opendkim.conf:
Socket                  local:/var/spool/postfix/opendkim/opendkim.sock
/etc/postfix/main.cf:
smtpd_milters = unix:opendkim/opendkim.sock

/var/spool/postfix/opendkim must exist and should be owned by opendkim:

drwxr-xr-x 2 opendkim opendkim 4096 Jul 27 15:22 opendkim/

This should enable opendkim to create the socket and postfix to access the directory, but postfix still cannot read the socket:

srwxrwx--- 1 opendkim opendkim 0 Jul 27 15:22 opendkim.sock=

You can either put the socket in the postfix group:

/etc/opendkim.conf:
UserID                  opendkim:postfix
srwxrwx--- 1 opendkim postfix 0 Jul 27 15:43 opendkim.sock=

or put postfix in the opendkim group:

$ usermod -a -G opendkim postfix

Either should give postfix the correct permissions. Now postfix should be able to sign messages. Different distros may work slightly differently, but that should give you a start.

Theoretically, you could also change the opendkim umask to 002, but that would make the socket world readable, which is probably a security issue, so I would recommend against that.

score 8 · Accepted Answer · answered Sep 27 '15 at 11:41

Tested on my CentOS6 that postfix seems not really "chrooted".
My setting:

# /etc/opendkim.conf
Socket local:/var/run/opendkim/opendkim.sock

# /etc/postfix/main.cf
smtpd_milters = unix:/var/run/opendkim/opendkim.sock

This will produce: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied.
However, the socket umask is 002, result in srwxrwxr-x. opendkim:opendkim opendkim.sock.

Changing the umask to 000 solves the problem. Still, it's better to have opendkim switch user:group than just open to the world.

Environment:

centos 6.5 2.6.32-573.7.1.el6.x86_64
postfix 2.6.6-6.el6_5 @updates
opendkim 2.10.3-1.el6 @epel

Jacob Evans · Answer 3 · 2016-07-26T21:11:05.057

For those that find this and the issue is not resolve with the above answers, my issue was group execute permissions missing on the opendkim socket folder /var/run/opendkim/

I added a cron @reboot to ensure group permissions were set @reboot root chmod g+x /var/run/opendkim/

Fixes/patches the following warning from returning after a reboot.

warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied

A tcp connection was not a good solution for me as I sign 100k+ emails per hour.

score 2 · Answer 4 · answered Sep 25 '15 at 12:31

IIRC, postfix in centos 6 does not run chrooted in its standard config. When I configured opendkim from epel it came with this config:

Socket                  inet:8891@localhost

so enabling it in postfix was just a matter of adding this to main.cf:

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

en restarting both opendkim en postfix after properly configuring the keys, TrustedHosts, SigningTable, Keytable and publishing the txt records to dns.

O, and I forgot: postfix should be member of the opendkim group as well.

Postfix - Opendkim - Unable to connect to local socket

4 Answers4