1

I'm using Fedora 28 x64 on a VPS. I've setup postfix as send-only mail server with OpenDKIM for signing outgoing emails.

Postfix connects to OpenDKIM via unix socket setup on /run/opendkim/opendkim.sock

Permission for /run/opendkim/ is as follows

drwx------. 2 opendkim opendkim 80 Jul 13 00:05 opendkim

For Postfix to connect to the OpenDKIM milter, I've changed Group to postfix in the OpenDKIM unit file and added RuntimeDirectoryMode=0750. Here's the entire opendkim.service file.

Location: /usr/lib/systemd/system/opendkim.service

[Unit]
Description=DomainKeys Identified Mail (DKIM) Milter
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target remote-fs.target nss-lookup.target syslog.target

[Service]
Type=forking
User=opendkim
Group=postfix
PIDFile=/run/opendkim/opendkim.pid
EnvironmentFile=-/etc/sysconfig/opendkim
ExecStart=/usr/sbin/opendkim $OPTIONS
ExecReload=/bin/kill -USR1 $MAINPID
RuntimeDirectory=opendkim
RuntimeDirectoryMode=0750

[Install]
WantedBy=multi-user.target

The issue I'm facing is that the User, Group, RuntimeDirectoryMode values are only applied when I restart the OpenDKIM service manually. OpenDKIM is enabled to run on system boot via systemctl enable opendkim.

But after rebooting the VPS, the directory permissions are the same.

drwx------. 2 opendkim opendkim 80 Jul 13 00:05 opendkim

I've to run systemctl restart opendkim for the permissions to change to

drwxr-x---. 2 opendkim postfix 80 Jul 13 00:05 opendkim

Any idea why this happens? Anything I'm missing here?

1 Answers1

1

The opendkim package includes a systemd-tmpfiles configuration which creates the /run/opendkim directory at startup and sets its ownership and permissions.

[root@localhost ~]# cat /etc/tmpfiles.d/opendkim.conf
D /var/run/opendkim 0700 opendkim opendkim -

So, your customizations to the systemd service unit are being overwritten at boot time.

According to the tutorial linked from the README.fedora shipped with the package, you're meant to have Postfix talk to OpenDKIM over a local TCP socket on port 8891, not via its UNIX socket. So there is no need to alter the permissions of the temporary directory. You do need to alter your Postfix main.cf though:

smtpd_milters           = inet:127.0.0.1:8891

You also should return the opendkim configuration to its shipped default.

##  Create a socket through which your MTA can communicate.
Socket  inet:8891@localhost
Michael Hampton
  • 8,658
  • 2
  • 31
  • 54
  • Changed the OpenDKIM to listen to TCP and now everything works without any manual restarts after reboot. I've heard that unix sockets are faster than TCP so do you recommend that I edit ```/etc/tmpfiles.d/opendkim.conf``` so that unix sockets work too? Is there anyway to safely overwrite files inside ```/etc/tmpfiles.d/```, something like ```systemctl edit opendkim.service```? –  Jul 13 '18 at 11:43
  • @Ronak There's little difference between Unix sockets and a localhost TCP connection. In fact the latter is sometimes more performant. Anyway, the _default_ opendkim.conf that shipped with it already listened on TCP, so you could just restore it to what it was originally, and leave everything else alone. – Michael Hampton Jul 13 '18 at 16:48