Problem with DKIM setup on Ubuntu 12.04 LTS

I had a tricky problem with email not being delivered to local users (forwarding was OK) after moving my sites from a server running Ubuntu 10.04 to one running Ubuntu 12.04. It looks like a Virtualmin problem so I thought I would report it here. (Virtualmin 4.04.gpl GPL)

Checking the mail log I found multiple warnings like this: mail postfix/smtpd[24346]: warning: connect to Milter service local:/var/spool/postfix/var/run/opendkim/opendkim.sock: No such file or directory

I tried disabling DKIM in Virtualmin/Email Messages/Domainkeys Identified Mail but that did NOT solve the problem - this also seems to be a bug but I didn't investigate further.

I commented out the four "milter" lines from /etc/postfix/ and the problem went away, but DKIM wasn't working of course.

I also found from some googling around that milter_protocol should be set to 6 (not 2) in this version but that didn't make any apparent difference.

I checked that the DKIM service was running (it's opendkim in this version of Ubuntu) and the opendkim.sock file does actually exist with the right permissions and postfix is a member of the opendkim group.

After a bit more googling I discovered that postfix smtpd is chrooted by default, and disabling that fixed the problem. So I tried re-enabling the chroot and changing the socket path to local:/var/run/opendkim/opendkim.sock. That seems to work.

So to summarise, I think the settings that Virtualmin adds to /etc/postfix/ should be

milter_default_action = accept milter_protocol = 6 smtpd_milters = local:/var/run/opendkim/opendkim.sock non_smtpd_milters = local:/var/run/opendkim/opendkim.sock

and these settings should be removed when DKIM is disabled.

Hope this helps.



It looks like the original issue was that postfix is looking in the chroot directory for the socket file, but opendkim is not. Normally we avoid this problem completely by using a TCP connection instead of a socket file, but it seems that OpenDKIM isn't configured that way on your system.

Can you post the contents of your /etc/default/opendkim file?

philmck's picture
Submitted by philmck on Sun, 12/08/2013 - 17:39

Sure it's just two lines:



It's possible the contents were originally different because I reinstalled things several times in an attempt to fix the problem.

In particular, I see that earlier in the mail log there are errors of the form: mail postfix/smtpd[16565]: warning: connect to Milter service inet:localhost:8891: Connection refused

which would tie in with your description of using a TCP connection. At the time I tried disabling all firewalls in case that was a cause.

I also spent some time chasing a red herring (I think) about opendkim needing to be the "backport" version.

Try this :

  1. Disable DKIM in Virtualmin
  2. In that opendkim file, change the SOCKET line to SOCKET=inet:8891@localhost
  3. Re-enable DKIM in Virtualmin
philmck's picture
Submitted by philmck on Sun, 12/15/2013 - 13:00

Tried that - looking good so far, no "milter" warnings in log and mail still getting through. I'll do some DKIM testing when I get a chance.

Thanks for the help.

philmck's picture
Submitted by philmck on Wed, 12/18/2013 - 19:49

DKIM is working. So this looks like a pretty good solution to the problem.