Score:6

No DKIM headers in sent mails from postfix

pl flag

I have two postfix, one for receiving mails and the other for sending mails, and I am having trouble signing dkim on my outgoing mails. I followed this tutorial.

Logs also is not helping me point to the main problem. OpenDKIM is running fine:

● opendkim.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter
     Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-06-18 17:39:40 UTC; 4s ago
       Docs: man:opendkim(8)
             man:opendkim.conf(5)
             man:opendkim-genkey(8)
             man:opendkim-genzone(8)
             man:opendkim-testadsp(8)
             man:opendkim-testkey
             http://www.opendkim.org/docs.html
    Process: 246310 ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf (code=exited, status=0/SUCCESS)
   Main PID: 246321 (opendkim)
      Tasks: 7 (limit: 4681)
     Memory: 2.8M
     CGroup: /system.slice/opendkim.service
             ├─246321 /usr/sbin/opendkim -x /etc/opendkim.conf
             └─246322 /usr/sbin/opendkim -x /etc/opendkim.conf

Jun 18 17:39:40 testmailcdo systemd[1]: Starting OpenDKIM DomainKeys Identified Mail (DKIM) Milter...
Jun 18 17:39:40 testmailcdo systemd[1]: Started OpenDKIM DomainKeys Identified Mail (DKIM) Milter.
Jun 18 17:39:40 testmailcdo opendkim[246322]: OpenDKIM Filter v2.11.0 starting (args: -x /etc/opendkim.conf)

My postfix main.cf:

milter_default_action = accept
milter_protocol = 6
#smtpd_milters = inet:localhost:8891
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters =  $smtpd_milters

master.cf:

smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_wrappermode=no
#  -o smtpd_tls_auth_only=yes
  -o smtpd_enforce_tls=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=$smtpauth_recipient_restrictions
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_sasl_tls_security_options=noanonymous

opendkim.conf:

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   007

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain                 testmailcdo.apolloglobal.net
#KeyFile                /etc/dkimkeys/dkim.key
#Selector               mail1

# Commonly-used options; the commented-out versions show the defaults.
Canonicalization        relaxed/relaxed
Mode                    sv
SubDomains              no

AutoRestart         yes
AutoRestartRate     10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm  rsa-sha256

# Socket smtp://localhost
#
# ##  Socket socketspec
# ##
# ##  Names the socket where this filter should listen for milter connections
# ##
# ##  Names the socket where this filter should listen for milter connections
# ##  from the MTA.  Required.  Should be in one of these forms:
# ##
# ##  inet:port@address           to listen on a specific interface
# ##  inet:port                   to listen on all interfaces
# ##  local:/path/to/socket       to listen on a UNIX domain socket
#
#Socket                  inet:8891@localhost
#Socket                 local:/var/spool/postfix/opendkim/opendkim.sock
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
Socket local:/var/spool/postfix/opendkim/opendkim.sock
##  PidFile filename
###      default (none)
###
###  Name of the file where the filter should write its pid before beginning
###  normal operations.
#
PidFile               /var/run/opendkim/opendkim.pid


# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

##  ResolverConfiguration filename
##      default (none)
##
##  Specifies a configuration file to be passed to the Unbound library that
##
##  Specifies a configuration file to be passed to the Unbound library that
##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
##  documentation at http://unbound.net for the expected content of this file.
##  The results of using this and the TrustAnchorFile setting at the same
##  time are undefined.
##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
##  unbound package

# ResolverConfiguration     /etc/unbound/unbound.conf

##  TrustAnchorFile filename
##      default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
## at http://unbound.net for the expected format of this file.

TrustAnchorFile       /usr/share/dns/root.key

##  Userid userid
###      default (none)
###
###  Change to user "userid" before starting normal operation?  May include
###  a group ID as well, separated from the userid by a colon.
#
UserID                opendkim
# Map domains in From addresses to keys used to sign messages
KeyTable           refile:/etc/opendkim/key.table
SigningTable       refile:/etc/opendkim/signing.table

# Hosts to ignore when verifying signatures
ExternalIgnoreList  /etc/opendkim/trusted.hosts

# A set of internal hosts whose mail should be signed
InternalHosts       /etc/opendkim/trusted.hosts

Logs when sending mail affect by trusted.hosts

Jun 18 18:14:08 testmailcdo postfix/submission/smtpd[247218]: connect from unknown[202.60.9.10]
Jun 18 18:14:08 testmailcdo postfix/submission/smtpd[247218]: 6D0D413C124: client=unknown[202.60.9.10]
Jun 18 18:14:08 testmailcdo postfix/cleanup[247221]: 6D0D413C124: message-id=<[email protected]>
Jun 18 18:14:08 testmailcdo postfix/qmgr[246787]: 6D0D413C124: from=<[email protected]>, size=601, nrcpt=1 (queue active)
Jun 18 18:14:08 testmailcdo postfix/submission/smtpd[247218]: disconnect from unknown[202.60.9.10] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jun 18 18:14:10 testmailcdo postfix/smtp[247222]: 6D0D413C124: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[142.250.157.26]:25, delay=1.8, delays=0.06/0/0.82/0.97, dsn=2.0.0, status=sent (250 2.0.0 OK  1624040055 p7si10315751pjl.99 - gsmtp)
Jun 18 18:14:10 testmailcdo postfix/qmgr[246787]: 6D0D413C124: removed

ls -l /var/spool/postfix/opendkim/opendkim.sock outputs:

srwxrwx--- 1 opendkim opendkim 0 Jun 18 17:39 /var/spool/postfix/opendkim/opendkim.sock

I am really lost. Any suggestions and help would be greatly appreciated!

anx avatar
fr flag
anx
Reconsider `milter_default_action` - you might not actually want this to *fail-open* (`accept`) but instead have all problems with DKIM be promoted to grinding everything to a halt (`tempfail`, which may be the safer choice in terms of losing mail, because of what some recipients do with mail they consider unauthorized).
user13539846 avatar
pl flag
@anx logs while processing mail affected by `trusted.hosts` does not show something about calling the milter. Either way, I have updated the post with logs from postfix while sending a mail.
Nikita Kipriyanov avatar
za flag
Could it be "outgoing" mail is processed by another `smtpd` service which has milter disabled (e.g. `submission`? Check `master.cf`. Also, I noticed some time ago that opendkim set modes on the socket so the postfix was unable to communicate with it. It must have been fixed since, but who knows...
Ginnungagap avatar
gu flag
Can you add the output of `ls -l /var/spool/postfix/opendkim/opendkim.sock` to the question? I suspect your socket only allows opendkim:opendkim while postfix runs as another user.
user13539846 avatar
pl flag
@NikitaKipriyanov I have added my `master.cf` on the question. I believe it is handled by `submission`
user13539846 avatar
pl flag
@Ginnungagap I added the output of `ls -l /var/spool/postfix/opendkim/opendkim.sock`. I am not very familiar with linux but shouldn't `sudo chown opendkim:postfix /var/spool/postfix/opendkim`, as a step in the guide, would fix the permission problem?
user13539846 avatar
pl flag
@NikitaKipriyanov Is there a way to make `submission` use the opendkim milter?
Nikita Kipriyanov avatar
za flag
According to your master.cf, the Postfix submission should use smtpd milters too. Wrong modes (0770 for opendkim:opendkim) must be a culprit.
Score:1
za flag

You have wrong modes on the opendkim.sock. Those are 0770 i.e. rwx by owner, rwx by group, nothing for others, where owner is opendkim and group is opendkim, but Postfix runs often as postfix:mail or something like that, so it falls into the category "others" and is disallowed access. You should find mentions of that in the Postfix logs (in Debian we look into /var/log/mail.err).

Also note, the chown you've done was acting on a directory, containing the socket, not the socket itself, so it doesn't suffice.

Try setting 0777 on the opendkim.sock as the one-time test solution:

chmod 0777 /var/spool/postfix/opendkim/opendkim.sock

If it helps, we're on the right track. OpenDKIM recreates the socket with former modes at each restart, so the modes will reset, that's why this solution is one time. To make it persistent, add postfix user (or whichever account the smtpd is running under) into opendkim group, so the second "7" will apply to it (group access which is allowed):

gpasswd -a postfix opendkim

Alternatively (for example, if smtpd runs under nobody), you might change startup script for OpenDKIM slightly, for it to set mode 0777 after socket creation.

user13539846 avatar
pl flag
I appreciate your help sir, but unfortunately after running `chmod 0777 /var/spool/postfix/opendkim/opendkim.sock` and making the opendkim.sock to `srwxrwxrwx 1 opendkim opendkim 0 Jun 19 14:21 /var/spool/postfix/opendkim/opendkim.sock` mails sent still does not have dkim on its headers. Also when I check `/var/log/mail.err`, it was blank.
user13539846 avatar
pl flag
Also, I tried using `inet` as socket pointed to localhost, altered postfix smtpd milters and non smtpd milters to use `inet:localhost:8891` but it does not help. Mails still are not signed.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.