Fixing Postfix Permission Denied Error When Connecting to OpenDKIM Unix Socket


2 views

When integrating OpenDKIM with Postfix on CentOS 6.5, many administrators encounter the frustrating "Permission denied" error when Postfix attempts to connect to OpenDKIM's Unix socket. The error typically appears in logs as:

Sep 24 15:41:43 service-a-4 postfix/cleanup[17414]: warning: connect to Milter service unix:var/run/opendkim/opendkim.sock: Permission denied

Postfix runs in chroot mode by default, locking it to /var/spool/postfix/. This means all socket references in Postfix configurations must be relative to this directory. The common misconfiguration occurs when the socket paths don't properly account for this chroot environment.

For proper operation, we need two key configurations to align:

# OpenDKIM configuration (/etc/opendkim.conf)
Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock

# Postfix configuration (/etc/postfix/main.cf)
smtpd_milters = unix:/var/run/opendkim/opendkim.sock

Even with correct paths, permission issues can persist. Test socket accessibility with these commands:

# Check if Postfix user can see the socket
sudo su -s /bin/bash postfix -c "ls /var/spool/postfix/var/run/opendkim/opendkim.sock"

# Test socket connection as root (should work)
nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock

# Test socket connection as postfix (should work but often fails)
sudo su -s /bin/bash postfix -c "nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock"

When the above tests show the socket exists but Postfix can't connect, follow these steps:

# Create the directory with correct permissions
mkdir -p /var/spool/postfix/var/run/opendkim
chown opendkim:postfix /var/spool/postfix/var/run/opendkim
chmod 750 /var/spool/postfix/var/run/opendkim

# Ensure the socket file has correct permissions
touch /var/spool/postfix/var/run/opendkim/opendkim.sock
chown opendkim:postfix /var/spool/postfix/var/run/opendkim/opendkim.sock
chmod 660 /var/spool/postfix/var/run/opendkim/opendkim.sock

# Restart both services
service opendkim restart
service postfix restart

If issues persist after permission fixes:

  1. Verify the Postfix user is in the opendkim group: usermod -a -G opendkim postfix
  2. Check process ownership: ps aux | grep 'postfix\|opendkim'
  3. Examine socket creation: ls -la /var/spool/postfix/var/run/opendkim/
  4. Monitor real-time connections: strace -f -p $(pgrep -f "postfix/cleanup")

Ensure your complete OpenDKIM configuration includes these essential parameters:

# /etc/opendkim.conf
Mode            sv
Canonicalization    relaxed/simple
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList  /etc/opendkim/TrustedHosts
InternalHosts   /etc/opendkim/TrustedHosts
Socket          local:/var/spool/postfix/var/run/opendkim/opendkim.sock
PidFile         /var/run/opendkim/opendkim.pid
UMask           022
UserID          opendkim:opendkim

When integrating OpenDKIM with Postfix in a chroot environment, you might encounter the frustrating "Permission denied" error when Postfix attempts to connect to OpenDKIM's Unix socket. The error typically appears in logs as:

Sep 24 15:41:43 service-a-4 postfix/cleanup[17414]: warning: connect to Milter service unix:var/run/opendkim/opendkim.sock: Permission denied

Postfix runs in chroot mode by default, locking it to /var/spool/postfix/. This means all socket references in Postfix configuration are relative to this directory. The common mistake is not accounting for this chroot when specifying socket paths.

For proper communication between Postfix and OpenDKIM, we need two key configurations:

# OpenDKIM Configuration (/etc/opendkim.conf)
Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock

# Postfix Configuration (/etc/postfix/main.cf)
smtpd_milters = unix:/var/run/opendkim/opendkim.sock

Even with correct paths, permission issues can persist. Let's verify access:

# Check if Postfix can see the socket
sudo su -s /bin/bash postfix -c "ls /var/spool/postfix/var/run/opendkim/opendkim.sock"

# Test socket connection as Postfix (should fail)
sudo su -s /bin/bash postfix -c "nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock"

# Test socket connection as root (should work)
nc -U -D /var/spool/postfix/var/run/opendkim/opendkim.sock

Here's the complete step-by-step solution:

# 1. Create the socket directory with correct permissions
mkdir -p /var/spool/postfix/var/run/opendkim
chown opendkim:postfix /var/spool/postfix/var/run/opendkim
chmod 750 /var/spool/postfix/var/run/opendkim

# 2. Configure OpenDKIM (/etc/opendkim.conf)
Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock
UserID opendkim:postfix

# 3. Configure Postfix (/etc/postfix/main.cf)
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock
milter_default_action = accept

# 4. Restart services
service opendkim restart
service postfix restart

If issues persist:

  • Verify SELinux context: ls -Z /var/spool/postfix/var/run/opendkim/
  • Check process ownership: ps aux | grep 'postfix\|opendkim'
  • Monitor logs in real-time: tail -f /var/log/maillog

If Unix socket issues prove intractable, consider using TCP:

# OpenDKIM Configuration
Socket inet:8891@localhost

# Postfix Configuration
smtpd_milters = inet:127.0.0.1:8891

Remember to adjust firewall rules if using TCP sockets.