Postfix не подписывается DKIM?

Question

[Dymok]

Пытаюсь настроить DKIM-подписывание писем, делал все по этому мануалу, но почему-то Postfix ругается на отстутствие файла opendkim.sock:

Mar 25 00:04:16 vps postfix/cleanup[2035]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory

Хотя данный файл есть и имеет, вроде бы, все нужные права

ubuntu@vps:/var/run/opendkim$ ls -la
total 4
drwxr-xr-x  2 opendkim opendkim  80 Mar 24 22:57 .
drwxr-xr-x 27 root     root     940 Mar 24 22:58 ..
-rw-r--r--  1 opendkim opendkim   5 Mar 24 22:57 opendkim.pid
srwxrwxrwx  1 opendkim opendkim   0 Mar 24 22:57 opendkim.sock

opendkim запущен
Конфиг opendkim:

spoiler

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   002

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain                 example.com
#KeyFile                /etc/dkimkeys/dkim.key
#Selector               2007

# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization       simple
#Mode                   sv
#SubDomains             no


# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

##  ResolverConfiguration filename
##      default (none)
##
##  Specifies a configuration file to be passed to the Unbound library that
##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
##  documentation at http://unbound.net for the expected content of this file.
##  The results of using this and the TrustAnchorFile setting at the same
##  time are undefined.
##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
##  unbound package

# ResolverConfiguration     /etc/unbound/unbound.conf

##  TrustAnchorFile filename
##      default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
## at http://unbound.net for the expected format of this file.

TrustAnchorFile       /usr/share/dns/root.key


Canonicalization relaxed/relaxed
SyslogSuccess yes
KeyTable file:/etc/opendkim/keytable
SigningTable file:/etc/opendkim/signingtable
X-Header yes
#

Заранее спасибо.

UPD: Проблема была в неправильных путях и правах.

Answer 1

[Александр Черных]

нестыковочка, у Вас в конфе UMask 002, а права на сокет получились srwxrwxrwx, а с такой маской дожны быть srwxrwxr-x

поэтому в конфе добавить

UserID opendkim:opendkim

и юзер postfix должен входить в группу opendkim

либо Umask 000

ну и перезапуск сервиса :-)

Comments

[Dymok]

Спасибо за ответ!

Похоже, при маске UMask 002 opendkim сам меняет права на srwxrwxr-x при запуске.
Сейчас права такие:

spoiler

ubuntu@vps:/var/run/opendkim$ ls -la
total 4
drwxr-xr-x  2 opendkim opendkim  80 Mar 25 14:29 .
drwxr-xr-x 27 root     root     960 Mar 25 14:35 ..
-rw-r--r--  1 opendkim opendkim   5 Mar 25 14:29 opendkim.pid
srwxrwxr-x  1 opendkim opendkim   0 Mar 25 14:29 opendkim.sock

Конфиг изменил на такой:

spoiler

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   002
UserID opendkim:opendkim
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain                 example.com
#KeyFile                /etc/dkimkeys/dkim.key
#Selector               2007

# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization       simple
#Mode                   sv
#SubDomains             no

# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

##  ResolverConfiguration filename
##      default (none)
##
##  Specifies a configuration file to be passed to the Unbound library that
##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
##  documentation at http://unbound.net for the expected content of this file.
##  The results of using this and the TrustAnchorFile setting at the same
##  time are undefined.
##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
##  unbound package

# ResolverConfiguration     /etc/unbound/unbound.conf

##  TrustAnchorFile filename
##      default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
## at http://unbound.net for the expected format of this file.

TrustAnchorFile       /usr/share/dns/root.key


Canonicalization relaxed/relaxed
SyslogSuccess yes
KeyTable file:/etc/opendkim/keytable
SigningTable file:/etc/opendkim/signingtable
X-Header yes
#

postfix и opendkim находятся в группе друг друга:

spoiler

ubuntu@vps:/var/run/opendkim$ groups postfix
postfix : postfix opendkim
ubuntu@vps:/var/run/opendkim$ groups opendkim
opendkim : opendkim postfix

Но получается все так же ошибка

Mar 25 14:30:22 vps postfix/cleanup[5934]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory

Вот еще конфиг postfix, но в нём, кажется, все правильно.

spoiler

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = $myhostname, ip-172-31-41-165.us-east-2.compute.internal, localhost.us-east-2.compute.internal, , localhost, robbien.ru
myhostname = vps
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual

[Александр Черных]

все должно работать.
postfix stop && postfix start был?

а что в логах при запуске opendkim?

[Александр Черных]

еще явно можно сказать ему слушать сокет

Socket local:/var/run/opendkim/opendkim.sock

[Dymok]

Александр Черных, да, перезапускал.
перезапустил postfix и opendkim, отправил письмо, вот логи

spoiler

Mar 25 14:56:40 vps postfix[6496]: Postfix is running with backwards-compatible default settings
Mar 25 14:56:40 vps postfix[6496]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Mar 25 14:56:40 vps postfix[6496]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Mar 25 14:56:40 vps postfix/master[6427]: terminating on signal 15
Mar 25 14:56:45 vps postfix[6616]: Postfix is running with backwards-compatible default settings
Mar 25 14:56:45 vps postfix[6616]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Mar 25 14:56:45 vps postfix[6616]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Mar 25 14:56:45 vps postfix/master[6653]: daemon started -- version 3.1.0, configuration /etc/postfix
Mar 25 14:56:45 vps postfix/qmgr[6670]: 3CD934877B: from=<ubuntu@robbien.ru>, size=398, nrcpt=1 (queue active)
Mar 25 14:56:45 vps postfix/smtp[6674]: 3CD934877B: to=<pavel.dymok@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.204.27]:25, delay=679, delays=679/0.01/0.1/0.12, dsn=2.0.0, status=sent (250 2.0.0 OK 1521989805 r9si2564898qtf.98 - gsmtp)
Mar 25 14:56:45 vps postfix/qmgr[6670]: 3CD934877B: removed
Mar 25 14:57:02 vps opendkim[6148]: OpenDKIM Filter: mi_stop=1
Mar 25 14:57:02 vps opendkim[6148]: OpenDKIM Filter v2.10.3 terminating with status 0, errno = 0
Mar 25 14:57:07 vps opendkim[6783]: OpenDKIM Filter v2.10.3 starting (args: -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock)
Mar 25 14:57:46 vps postfix/pickup[6669]: C4A594877B: uid=1000 from=<ubuntu>
Mar 25 14:57:46 vps postfix/cleanup[6793]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory
Mar 25 14:57:46 vps postfix/cleanup[6793]: C4A594877B: message-id=<20180325145746.C4A594877B@vps>
Mar 25 14:57:46 vps postfix/qmgr[6670]: C4A594877B: from=<ubuntu@robbien.ru>, size=394, nrcpt=1 (queue active)
Mar 25 14:57:47 vps postfix/smtp[6674]: C4A594877B: to=<pavel.dymok@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.205.27]:25, delay=0.27, delays=0.01/0/0.09/0.17, dsn=2.0.0, status=sent (250 2.0.0 OK 1521989867 s14si1454175qte.381 - gsmtp)
Mar 25 14:57:47 vps postfix/qmgr[6670]: C4A594877B: removed

[Dymok]

Александр Черных, это в конфиг postfix? Добавил, все перезапустил, ошибка та же

spoiler

Mar 25 15:02:40 vps postfix[6834]: Postfix is running with backwards-compatible default settings
Mar 25 15:02:40 vps postfix[6834]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Mar 25 15:02:40 vps postfix[6834]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Mar 25 15:02:40 vps postfix/master[6653]: terminating on signal 15
Mar 25 15:02:45 vps postfix[6953]: Postfix is running with backwards-compatible default settings
Mar 25 15:02:45 vps postfix[6953]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Mar 25 15:02:45 vps postfix[6953]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
Mar 25 15:02:46 vps postfix/master[6990]: daemon started -- version 3.1.0, configuration /etc/postfix
Mar 25 15:02:52 vps opendkim[6783]: OpenDKIM Filter: mi_stop=1
Mar 25 15:02:52 vps opendkim[6783]: OpenDKIM Filter v2.10.3 terminating with status 0, errno = 0
Mar 25 15:03:03 vps opendkim[7093]: OpenDKIM Filter v2.10.3 starting (args: -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock)
Mar 25 15:03:13 vps postfix/pickup[7008]: 31C794877B: uid=1000 from=<ubuntu>
Mar 25 15:03:13 vps postfix/cleanup[7103]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory
Mar 25 15:03:13 vps postfix/cleanup[7103]: 31C794877B: message-id=<20180325150313.31C794877B@vps>
Mar 25 15:03:13 vps postfix/qmgr[7009]: 31C794877B: from=<ubuntu@robbien.ru>, size=394, nrcpt=1 (queue active)
Mar 25 15:03:29 vps postfix/smtp[7105]: 31C794877B: to=<pavel.dymok@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.205.26]:25, delay=16, delays=0.01/0/15/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK 1521990209 i81-v6si2026731ybg.523 - gsmtp)
Mar 25 15:03:29 vps postfix/qmgr[7009]: 31C794877B: removed

[Александр Черных]

UnluckySerivelha, это было в конф дкима

а если в main.cf добавить compatibility_level=2 и postfix reload

[Александр Черных]

UnluckySerivelha, и opendkim выкинуть из группы postfix - он там не нужен

[Dymok]

Александр Черных, добавил
Socket local:/var/run/opendkim/opendkim.sock
в конфиг opendkim, в main.cf добавил
compatibility_level=2
opendkim убрал из группы postfix, все перезапустил, ошибка вся та же.

spoiler

Mar 25 15:21:14 vps opendkim[7289]: OpenDKIM Filter: mi_stop=1
Mar 25 15:21:14 vps opendkim[7289]: OpenDKIM Filter v2.10.3 terminating with status 0, errno = 0
Mar 25 15:21:14 vps opendkim[7616]: OpenDKIM Filter v2.10.3 starting (args: -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock)
Mar 25 15:21:20 vps postfix/master[7460]: terminating on signal 15
Mar 25 15:21:20 vps postfix/master[7785]: daemon started -- version 3.1.0, configuration /etc/postfix
Mar 25 15:21:29 vps postfix/pickup[7786]: 704A248775: uid=1000 from=<ubuntu>
Mar 25 15:21:29 vps postfix/cleanup[7792]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory
Mar 25 15:21:29 vps postfix/cleanup[7792]: 704A248775: message-id=<20180325152129.704A248775@vps>
Mar 25 15:21:29 vps postfix/qmgr[7787]: 704A248775: from=<ubuntu@robbien.ru>, size=394, nrcpt=1 (queue active)
Mar 25 15:21:29 vps postfix/smtp[7794]: 704A248775: to=<pavel.dymok@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.68.27]:25, delay=0.26, delays=0.01/0/0.11/0.14, dsn=2.0.0, status=sent (250 2.0.0 OK 1521991289 r9si3719597qtf.378 - gsmtp)
Mar 25 15:21:29 vps postfix/qmgr[7787]: 704A248775: removed

И я тут заметил, файл opendkim.sock, похоже пустой, так и должно быть?

ubuntu@vps:/var/run/opendkim$ ls -l
total 4
-rw-r--r-- 1 opendkim opendkim 5 Mar 25 15:21 opendkim.pid
srwxrwxr-x 1 opendkim opendkim 0 Mar 25 15:21 opendkim.sock

[Александр Черных]

UnluckySerivelha, да пустой, на то и сокет
postfix случаем не в chroot'е?

[Dymok]

Александр Черных, а как это проверить?(

[Александр Черных]

UnluckySerivelha, master.cf колонка chroot - должны n если не в chroot

[Dymok]

Александр Черных, почему-то вообще не вижу postfix в таблице

spoiler

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

[Александр Черных]

есть !!!! он таки в chroot'е

в opendkim.conf заменить на

socket="local:/var/spool/postfix/var/run/opendkim/opendkim.sock"

[Dymok]

Александр Черных, добавил, теперь он ругается на эту строку и не запускается

spoiler

ubuntu@vps:/var/run/opendkim$ sudo service opendkim start
Job for opendkim.service failed because the control process exited with error code. See "systemctl status opendkim.service" and "journalctl -xe" for details.
ubuntu@vps:/var/run/opendkim$ sudo systemctl status opendkim.service
● opendkim.service - DomainKeys Identified Mail (DKIM) Milter
   Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2018-03-25 16:47:17 UTC; 2s ago
     Docs: man:opendkim(8)
           man:opendkim.conf(5)
           man:opendkim-genkey(8)
           man:opendkim-genzone(8)
           man:opendkim-testadsp(8)
           man:opendkim-testkey
           http://www.opendkim.org/docs.html
  Process: 7302 ExecReload=/bin/kill -USR1 $MAINPID (code=exited, status=0/SUCCESS)
  Process: 8398 ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p $SOCKET $DAEMON_OPTS (code=exited, s
  Process: 8396 ExecStartPre=/bin/chown opendkim.opendkim /var/run/opendkim (code=exited, status=0/SUCCESS)
  Process: 8393 ExecStartPre=/bin/mkdir -p /var/run/opendkim (code=exited, status=0/SUCCESS)
 Main PID: 7616 (code=exited, status=0/SUCCESS)

Mar 25 16:47:17 vps systemd[1]: Starting DomainKeys Identified Mail (DKIM) Milter...
Mar 25 16:47:17 vps opendkim[8398]: opendkim: /etc/opendkim.conf: configuration error at line 56: unrecognized parameter
Mar 25 16:47:17 vps systemd[1]: opendkim.service: Control process exited, code=exited status=78
Mar 25 16:47:17 vps systemd[1]: Failed to start DomainKeys Identified Mail (DKIM) Milter.
Mar 25 16:47:17 vps systemd[1]: opendkim.service: Unit entered failed state.
Mar 25 16:47:17 vps systemd[1]: opendkim.service: Failed with result 'exit-code'.

[Александр Черных]

хм
меняем в opendkim socket обратно

в master.cf в колонке chroot (3-я) меняем y на n (предварительно бекап конфига)

[Dymok]

Александр Черных, сорри, может туплю, но какой строке менять? smtp? И колонка chroot вроде 5-я..

# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd

[Александр Черных]

я бы менял для всех сервисов , а не только smtp (2-я энка)
ругань в логах на cleanup
для начала можно попробовать сменять только для нее

[Dymok]

Александр Черных, почему-то теперь при запуске opendkim пишет ошибку, что нет прав:

Mar 25 17:11:24 vps postfix/cleanup[8944]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied

и фала opendkim.sock нету..

ubuntu@vps:/var/run/opendkim$ ls -la
total 4
drwxr-xr-x  2 opendkim opendkim  60 Mar 25 17:06 .
drwxr-xr-x 27 root     root     960 Mar 25 15:24 ..
-rw-r--r--  1 opendkim opendkim   5 Mar 25 17:06 opendkim.pid

[Александр Черных]

показываем
main.cf на предмет smtpd_milters, non_smtpd_milters
opendkim.conf
master.cf

[Dymok]

Александр Черных,

main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = vps
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, ip-172-31-41-165.us-east-2.compute.internal, localhost.us-east-2.compute.internal, , localhost, robbien.ru
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
milter_default_action = accept
milter_protocol = 2
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock
compatibility_level = 2

opendkim.conf

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog			yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask			002
UserID opendkim:opendkim
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain			example.com
#KeyFile		/etc/dkimkeys/dkim.key
#Selector		2007


OversignHeaders		From

##  ResolverConfiguration filename
##      default (none)
##
##  Specifies a configuration file to be passed to the Unbound library that
##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
##  documentation at http://unbound.net for the expected content of this file.
##  The results of using this and the TrustAnchorFile setting at the same
##  time are undefined.
##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
##  unbound package

# ResolverConfiguration     /etc/unbound/unbound.conf

##  TrustAnchorFile filename
##      default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
## at http://unbound.net for the expected format of this file.

TrustAnchorFile       /usr/share/dns/root.key

<code></code>
Canonicalization relaxed/relaxed
SyslogSuccess yes
KeyTable file:/etc/opendkim/keytable
SigningTable file:/etc/opendkim/signingtable
X-Header yes
Socket	local:/var/run/opendkim/opendkim.sock
#

master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

[Александр Черных]

нам нужно разобраться с путями
может рискнете и дадите мне тимвьювер ? или доступ к серваку? Ну так будет проще
если нет, будет переписываться дальше

из Вашего профиля видно , что Вы веб-мастер, а не админ
Так как?

[Dymok]

Александр Черных, пока интересуюсь всем подряд. Сможете написать в телеграмм?

[Dymok]

Огромное спасибо за помощь c;

[Александр Черных]

UnluckySerivelha, пришлось чуток в убунте поковыряться, я ж в ней опыта не имеею особо. Но данный вопрос решили

Answer 2

[Дмитрий Евграфович]

На случай, если кто столкнется с такой же проблемой - мне помогло решение отсюда https://serverfault.com/questions/796742/connect-t... Александр не расписал, что сделал, поэтому оставлю ссылку тут. Насколько я понял, когда postfix запускается с параметрами "chroot = y" в конфиге, для него родительской директорией становится /var/spool/postfix и из-за этого он не видит папку var/run/opendkim.