Debugging Postfix Milter Rejection: Solving OpenDKIM’s “Service Unavailable (opendkim)” Error


6 views

When integrating OpenDKIM with Postfix, a common yet frustrating error occurs during email transmission:

postfix/cleanup[11542]: 40F271A291A: milter-reject: END-OF-MESSAGE from ***[***]: 4.7.1 Service unavailable - try again later

This rejection typically happens after the complete message transmission (END-OF-MESSAGE phase), indicating OpenDKIM failed to process the signature request.

First, confirm the OpenDKIM socket is properly created and accessible by Postfix:

sudo netstat -nalp | grep dkim
sudo ls -la /run/opendkim/opendkim.sock

Key checks:

  • Socket file exists with correct permissions (typically 0770)
  • Owned by opendkim:mail (or your configured UserID)
  • Postfix process has read/write access through group membership

A common root cause lies in permission misconfiguration. Verify:

sudo -u opendkim /usr/sbin/opendkim -T
sudo -u postfix /usr/sbin/postfix check

Critical directory permissions should be:

drwxr-sr-x  3 opendkim mail  /var/lib/opendkim
drwxr-s---  2 opendkim mail  /etc/opendkim

For multi-domain setups using a single key (not recommended for production), ensure proper SigningTable configuration:

# /etc/opendkim/SigningTable
*@domain1.com   default._domainkey.domain1.com
*@domain2.com   default._domainkey.domain1.com

The corresponding KeyTable:

# /etc/opendkim/KeyTable
default._domainkey.domain1.com domain1.com:201704:/etc/opendkim/201704.private

Enable detailed logging in opendkim.conf:

LogWhy               Yes
SyslogSuccess        Yes

Then monitor logs in real-time:

sudo tail -f /var/log/mail.log | grep -i dkim

Modify your Postfix main.cf to include timeout parameters:

milter_protocol = 6
milter_default_action = accept
milter_connect_timeout = 30s
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock

Verify DNS record validity using:

dig TXT 201704._domainkey.domain1.com
opendkim-testkey -d domain1.com -s 201704 -vvv

For socket communication testing:

sudo -u postfix nc -U /run/opendkim/opendkim.sock

Consider running OpenDKIM on TCP port instead of Unix socket:

# opendkim.conf
Socket inet:8891@localhost

# postfix/main.cf
smtpd_milters = inet:localhost:8891

When configuring OpenDKIM with Postfix, the "Service unavailable" error (4.7.1) typically indicates a communication breakdown between Postfix's Milter interface and the OpenDKIM service. Let's examine the specific components involved:

# Key error message components:
postfix/cleanup[11542]: 40F271A291A: milter-reject: END-OF-MESSAGE 
from ***[***]: 4.7.1 Service unavailable

The first checkpoint should be socket connectivity. Even though your netstat output shows the socket exists, we need to verify permissions:

# Check socket permissions
ls -la /run/opendkim/opendkim.sock
# Expected output:
srw-rw---- 1 opendkim mail 0 Apr 10 10:15 /run/opendkim/opendkim.sock

# Verify Postfix can access the socket
sudo -u postfix ls -la /run/opendkim/opendkim.sock

Your current Postfix configuration appears correct at first glance, but let's enhance it with additional debugging parameters:

# Enhanced Postfix main.cf additions
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_connect_macros = j {daemon_name} v {if_name} _
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock
milter_default_action = accept

The current OpenDKIM config has potential improvement areas. Here's an optimized version with explicit debugging:

# /etc/opendkim.conf additions
Mode                    sv
LogWhy                  Yes
SoftwareHeader          Yes
SignatureAlgorithm      rsa-sha256
OversignHeaders         From
UserID                  opendkim:mail
Socket                  local:/run/opendkim/opendkim.sock
PidFile                 /run/opendkim/opendkim.pid

A common oversight is incorrect permissions on the private key file:

# Verify key file permissions
ls -la /etc/opendkim/201704.private
# Should show:
-rw------- 1 opendkim opendkim 1675 Apr 10 09:00 /etc/opendkim/201704.private

For more reliable operation, consider using SystemD socket activation:

# /etc/systemd/system/opendkim.socket
[Unit]
Description=OpenDKIM Milter Socket

[Socket]
ListenStream=/run/opendkim/opendkim.sock
SocketUser=opendkim
SocketGroup=mail
SocketMode=0660

[Install]
WantedBy=sockets.target

Essential commands to diagnose the issue:

# Check OpenDKIM logs
journalctl -u opendkim --no-pager -n 50

# Test DKIM signing manually
opendkim-testkey -d example.com -s 201704 -vvv

# Verify Postfix can deliver to OpenDKIM
sudo -u postfix nc -U /run/opendkim/opendkim.sock
  • Verify opendkim user is in the mail group
  • Confirm SELinux/AppArmor isn't blocking socket access
  • Check for TCP wrappers restrictions (/etc/hosts.allow)
  • Validate system time synchronization (DKIM verification requires accurate time)