How to Fix “connect to Milter service inet:127.0.0.1:8891: Connection refused” Error in Postfix with OpenDKIM


3 views

When you see the error connect to Milter service inet:127.0.0.1:8891: Connection refused in your Postfix logs, it means Postfix is unable to establish a connection with the OpenDKIM milter service. This typically happens when:

  • OpenDKIM service isn't running
  • There's a mismatch in socket configuration between Postfix and OpenDKIM
  • Permissions prevent the connection
  • Firewall rules block the connection

First, check if OpenDKIM is actually running:

systemctl status opendkim

If it's not running, start it with:

systemctl start opendkim
systemctl enable opendkim

Your opendkim.conf shows:

Socket inet:8891@127.0.0.1

Now check your Postfix configuration (typically in main.cf) to ensure it's looking at the same socket:

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891

Ensure the opendkim user has proper permissions:

chown -R opendkim:opendkim /etc/opendkim
chmod -R 0700 /etc/opendkim/keys

Enable detailed logging in opendkim.conf:

LogWhy yes
SyslogSuccess yes

Then restart OpenDKIM and check logs:

systemctl restart opendkim
journalctl -u opendkim -f

After fixing the connection issue, verify DKIM is working:

opendkim-testkey -d yourdomain.com -s default -vvv

Send a test email and check its headers for the DKIM signature.

For more complex setups, here's an example KeyTable:

default._domainkey.yourdomain.com yourdomain.com:default:/etc/opendkim/keys/default.private
202301._domainkey.yourdomain.com yourdomain.com:202301:/etc/opendkim/keys/202301.private

And corresponding SigningTable:

*@yourdomain.com default._domainkey.yourdomain.com
special@yourdomain.com 202301._domainkey.yourdomain.com

When you see the error connect to Milter service inet:127.0.0.1:8891: Connection refused in your Postfix logs, it indicates that Postfix cannot establish a connection to the OpenDKIM milter service running on port 8891. This typically occurs when:

  • OpenDKIM service isn't running
  • Socket configuration mismatch between Postfix and OpenDKIM
  • Permissions issues with the socket
  • Firewall blocking local connections

First, check if OpenDKIM is actually running:

sudo systemctl status opendkim

If it's not running, start it with:

sudo systemctl start opendkim
sudo systemctl enable opendkim

Your opendkim.conf shows the correct socket configuration:

Socket inet:8891@127.0.0.1

Now verify Postfix's milter configuration in /etc/postfix/main.cf:

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
milter_default_action = accept

1. Check socket availability:

sudo netstat -tulnp | grep 8891
# or alternatively
sudo ss -tulnp | grep 8891

2. Test socket connection manually:

telnet 127.0.0.1 8891

3. Verify OpenDKIM logs for errors:

sudo journalctl -u opendkim -f

Fix 1: Ensure proper user permissions in opendkim.conf:

UserID opendkim:opendkim
Umask 002

Fix 2: Restart both services after configuration changes:

sudo systemctl restart opendkim
sudo systemctl restart postfix

Fix 3: Check SELinux status if you're on RHEL/CentOS:

sudo setsebool -P milter_connect_any 1

After fixing the connection issue, verify DKIM signing is working:

echo "Test email" | mail -s "DKIM Test" recipient@example.com
tail /var/log/mail.log | grep -i dkim

You should see entries indicating successful signing.

If problems persist, increase OpenDKIM logging by uncommenting:

LogWhy yes

Then monitor the logs:

sudo tail -f /var/log/mail.log | grep opendkim

This will provide detailed information about the signing/verification process.