Problem with DKIM setup on Ubuntu 12.04 LTS

philmck's picture
Submitted by philmck on Sun, 12/08/2013 - 11:18

I had a tricky problem with email not being delivered to local users (forwarding was OK) after moving my sites from a server running Ubuntu 10.04 to one running Ubuntu 12.04. It looks like a Virtualmin problem so I thought I would report it here. (Virtualmin 4.04.gpl GPL)

Checking the mail log I found multiple warnings like this: mail postfix/smtpd[24346]: warning: connect to Milter service local:/var/spool/postfix/var/run/opendkim/opendkim.sock: No such file or directory

I tried disabling DKIM in Virtualmin/Email Messages/Domainkeys Identified Mail but that did NOT solve the problem - this also seems to be a bug but I didn't investigate further.

I commented out the four "milter" lines from /etc/postfix/main.cf and the problem went away, but DKIM wasn't working of course.

I also found from some googling around that milter_protocol should be set to 6 (not 2) in this version but that didn't make any apparent difference.

I checked that the DKIM service was running (it's opendkim in this version of Ubuntu) and the opendkim.sock file does actually exist with the right permissions and postfix is a member of the opendkim group.

After a bit more googling I discovered that postfix smtpd is chrooted by default, and disabling that fixed the problem. So I tried re-enabling the chroot and changing the socket path to local:/var/run/opendkim/opendkim.sock. That seems to work.

So to summarise, I think the settings that Virtualmin adds to /etc/postfix/master.cf should be

milter_default_action = accept milter_protocol = 6 smtpd_milters = local:/var/run/opendkim/opendkim.sock non_smtpd_milters = local:/var/run/opendkim/opendkim.sock

and these settings should be removed when DKIM is disabled.

Hope this helps.

Status: 
Active

Comments

Submitted by JamieCameron on Sun, 12/08/2013 - 12:46

It looks like the original issue was that postfix is looking in the chroot directory for the socket file, but opendkim is not. Normally we avoid this problem completely by using a TCP connection instead of a socket file, but it seems that OpenDKIM isn't configured that way on your system.

Can you post the contents of your /etc/default/opendkim file?

philmck's picture
Submitted by philmck on Sun, 12/08/2013 - 17:39

Sure it's just two lines:

DAEMON_OPTS="-b sv"

SOCKET=local:/var/spool/postfix/var/run/opendkim/opendkim.sock

It's possible the contents were originally different because I reinstalled things several times in an attempt to fix the problem.

In particular, I see that earlier in the mail log there are errors of the form: mail postfix/smtpd[16565]: warning: connect to Milter service inet:localhost:8891: Connection refused

which would tie in with your description of using a TCP connection. At the time I tried disabling all firewalls in case that was a cause.

I also spent some time chasing a red herring (I think) about opendkim needing to be the "backport" version.

Submitted by JamieCameron on Sun, 12/08/2013 - 22:56

Try this :

  1. Disable DKIM in Virtualmin
  2. In that opendkim file, change the SOCKET line to SOCKET=inet:8891@localhost
  3. Re-enable DKIM in Virtualmin

philmck's picture
Submitted by philmck on Sun, 12/15/2013 - 13:00

Tried that - looking good so far, no "milter" warnings in log and mail still getting through. I'll do some DKIM testing when I get a chance.

Thanks for the help.

philmck's picture
Submitted by philmck on Wed, 12/18/2013 - 19:49

DKIM is working. So this looks like a pretty good solution to the problem.