postfix: connect to Milter service inet:127.0.0.1:8891: Connection refused

Question

I noticed that there is a error with milter if I type service postfix status :

Jul 01 17:39:01 mail postfix/cleanup[13921]: warning: connect to Milter service inet:127.0.0.1:8891: Connection refused

but what does that mean and how do I fix that? It is related to DKIM? Because I tried to set it up and it's still not working. which files do you need to help? Here is my opendkim.conf:

## CONFIGURATION OPTIONS
Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid
Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
Mode    sv
Log activity to the system log.
Syslog  yes
Log additional entries indicating successful signing or verification of messages.
SyslogSuccess yes
If logging is enabled, include detailed logging about why or why not a message was
signed or verified. This causes a large increase in the amount of log data generated
for each message, so it should be limited to debugging use only.
#LogWhy yes
Attempt to become the specified user before starting operations.
UserID  opendkim:opendkim
Create a socket through which your MTA can communicate.
Socket  inet:8891@127.0.0.1
Required to use local socket with MTAs that access the socket as a non-
privileged user (e.g. Postfix)
Umask   002
This specifies a file in which to store DKIM transaction statistics.
#Statistics              /var/spool/opendkim/stats.dat
SIGNING OPTIONS
Selects the canonicalization method(s) to be used when signing messages.
Canonicalization        relaxed/simple
Domain(s) whose mail should be signed by this filter. Mail from other domains will
be verified rather than being signed. Uncomment and use your domain name.
This parameter is not required if a SigningTable is in use.
Domain                  DOMAIN.de
Defines the name of the selector to be used when signing messages.
Selector                default
Gives the location of a private key to be used for signing ALL messages.
#ORIG (AUSGEKLAMMERT): KeyFile                 /etc/opendkim/keys/default.private
KeyFile                 /etc/opendkim/keys/default.private
Gives the location of a file mapping key names to signing keys. In simple terms,
this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
setting in the configuration file.
KeyTable                 refile:/etc/opendkim/KeyTable
Defines a table used to select one or more signatures to apply to a message based
on the address found in the From: header field. In simple terms, this tells
OpenDKIM how to use your keys.
SigningTable                 refile:/etc/opendkim/SigningTable
Identifies a set of "external" hosts that may send mail through the server as one
of the signing domains without credentials as such.
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
Identifies a set internal hosts whose mail should be signed rather than verified.
InternalHosts           refile:/etc/opendkim/TrustedHosts

score 8 · Answer 1 · answered Jan 31 '19 at 21:51

As Esa answered, it is related to OpenDKIM.

However, through looking at the Service file (Ubuntu 16.04, using systemctl) I noticed that the service uses a file located in /etc/default/opendkim

# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
#DAEMON_OPTS=""
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
SOCKET="local:/var/run/opendkim/opendkim.sock"
# listen on all interfaces on port 54321:
#SOCKET="inet:54321"
# listen on loopback on port 12345:
#SOCKET="inet:12345@localhost"
# listen on 192.0.2.1 on port 12345:
#SOCKET="inet:12345@192.0.2.1"

Note line 6, which states that settings here will override any Socket value in opendkim.conf

I tried simply commenting out all the lines in here to revert it back to the config, but it didn't seem to work for me.

To fix this, modify the file to set the SOCKET environment variable to what you need.

# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
#DAEMON_OPTS=""
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
#SOCKET="local:/var/run/opendkim/opendkim.sock"
# listen on all interfaces on port 54321:
#SOCKET="inet:54321"
# listen on loopback on port 12345:
SOCKET="inet:8891@localhost"
# listen on 192.0.2.1 on port 12345:
#SOCKET="inet:12345@192.0.2.1"

Finally, restart opendkim with sudo service opendkim restart

TLDR: sudo nano /etc/default/opendkim, edit the SOCKET setting, then restart opendkim.

score 7 · Answer 2 · answered Jul 01 '17 at 18:19

OpenDKIM is a different service. See whether it's running or not. You could try

sudo service opendkim restart

and see if that results in an error.

Given that you have Socket inet:8891@127.0.0.1 and Postfix is trying to connect to port 8891, the configuration seems ok. You could use netstat -l or lsof -i to check that OpenDKIM is actually listening on port 8891.

score 3 · Answer 3 · answered Sep 15 '20 at 14:48

In my situation, for two distinct Ubuntu and Debian servers, the problem was a broken systemd service file for opendkim. The config files were absolutely ok but the service file was probably generated by an old version. To regenerate the service file and reslove the problem, just run this command:

sudo /lib/opendkim/opendkim.service.generate

Then reload

sudo systemctl daemon-reload
sudo service opendkim restart

See here: https://serverfault.com/a/847442/84962

score 1 · Answer 4 · answered Jul 29 '19 at 07:48

1

The only solution that worked for me with Ubuntu 16.04....

Set the corecrect SOCKET value in /etc/default/opendkim.
Remove the SOCKET entry in /etc/opendkim.conf

Then, of course, sudo systemctl restart opendkim

answered Jul 29 '19 at 07:48

BurninLeo

940
3
12
31

postfix: connect to Milter service inet:127.0.0.1:8891: Connection refused

Specifies the path to the process ID file.

Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.

Log activity to the system log.

Log additional entries indicating successful signing or verification of messages.

If logging is enabled, include detailed logging about why or why not a message was

signed or verified. This causes a large increase in the amount of log data generated

for each message, so it should be limited to debugging use only.

Attempt to become the specified user before starting operations.

Create a socket through which your MTA can communicate.

Required to use local socket with MTAs that access the socket as a non-

privileged user (e.g. Postfix)

This specifies a file in which to store DKIM transaction statistics.

SIGNING OPTIONS

Selects the canonicalization method(s) to be used when signing messages.

Domain(s) whose mail should be signed by this filter. Mail from other domains will

be verified rather than being signed. Uncomment and use your domain name.

This parameter is not required if a SigningTable is in use.

Domain DOMAIN.de

Defines the name of the selector to be used when signing messages.

Gives the location of a private key to be used for signing ALL messages.

Gives the location of a file mapping key names to signing keys. In simple terms,

this tells OpenDKIM where to find your keys. If present, overrides any KeyFile

setting in the configuration file.

Defines a table used to select one or more signatures to apply to a message based

on the address found in the From: header field. In simple terms, this tells

OpenDKIM how to use your keys.

Identifies a set of "external" hosts that may send mail through the server as one

of the signing domains without credentials as such.

Identifies a set internal hosts whose mail should be signed rather than verified.

4 Answers4