dk-milter with postfix and virtual domains not working

Discussion in 'Server Operation' started by ladduro, Feb 10, 2009.

  1. ladduro

    ladduro New Member

    Hello,

    I just followed the howto from HowtoForge about installing the dk-milter with postfix. Here is my configuration:

    Code:
     cat /etc/sysconfig/dk-milter
    # Default values
    #
    USER="dk-milt"
    PORT="local:/var/run/dk-milter/dk.sock"
    #PORT="inet:127.0.01:10034"
    SIGNING_DOMAIN="nights.ro,djsuperstore.ro"
    SELECTOR_NAME="default"
    KEYFILE="/etc/mail/domainkeys/dk_key.pem"
    SIGNER=yes
    VERIFIER=yes
    CANON=simple
    REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
    EXTRA_ARGS="-h -l -D"
    MILTER_GROUP="mail"
    
    Code:
     cat default.txt
    default._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMDAVuWTyhxGFfNA1AKYx79467stva1WPS9T85JwMVV7cgYHaLHUagW6W4itUn/Vz2yCxF7jnRgav//T1+Bxl/kCAwEAAQ==" ; ----- DomainKey default for nights.ro
    
    
    and in zone:
    
    cat /var/named/chroot/var/named/data/djsuperstore.ro.db
    .............................................................
    default._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMDAVuWTyhxGFfNA1AKYx79467stva1WPS9T85JwMVV7cgYHaLHUagW6W4itUn/Vz2yCxF7jnRgav//T1+Bxl/kCAwEAAQ=="
    _domainkey IN TXT "t=y; o=~"
    .............................................................
    
    Posting only the relevant part.

    In main.cf i have:
    Code:
    smtpd_milters = unix:/var/run/dk-milter/dk.sock
    non_smtpd_milters = unix:/var/run/dk-milter/dk.sock
    
    And i maillog i receive the following error:

    Code:
    Feb 10 12:04:30 ns1 postfix/smtpd[15689]: warning: connect to Milter service unix:/var/run/dk-milter/dk.sock: No such file or directory
    Feb 10 12:04:30 ns1 postfix/smtpd[15689]: NOQUEUE: milter-reject: CONNECT from unknown[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
    Feb 10 12:04:30 ns1 postfix/smtpd[15689]: NOQUEUE: milter-reject: EHLO from unknown[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
    Feb 10 12:04:30 ns1 postfix/smtpd[15689]: NOQUEUE: milter-reject: MAIL from unknown[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=ESMTP helo=<admin.ns1.nights.ro>
    
    As you can see the file exists:
    Code:
    ls -la /var/run/dk-milter/
    total 20
    drwxrwx---  2 dk-milt mail 4096 Feb 10 13:07 .
    drwxr-xr-x 29 root    root 4096 Feb 10 13:10 ..
    srwxrwx---  1 dk-milt mail    0 Feb 10 13:07 dk.sock
    
    And also txt dig for djsuperstore.ro domain is correct:
    Code:
     dig default._domainkey.djsuperstore.ro TXT
    
    ; <<>> DiG 9.3.4-P1 <<>> default._domainkey.djsuperstore.ro TXT
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53014
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
    
    ;; QUESTION SECTION:
    ;default._domainkey.djsuperstore.ro. IN TXT
    
    ;; ANSWER SECTION:
    default._domainkey.djsuperstore.ro. 39615 IN TXT "g=\; k=rsa\; t=y\; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMDAVuWTyhxGFfNA1AKYx79467stva1WPS9T85JwMVV7cgYHaLHUagW6W4itUn/Vz2yCxF7jnRgav//T1+Bxl/kCAwEAAQ=="
    
    ;; AUTHORITY SECTION:
    djsuperstore.ro.        38839   IN      NS      ns1.djsuperstore.ro.
    djsuperstore.ro.        38839   IN      NS      ns2.djsuperstore.ro.
    
    ;; ADDITIONAL SECTION:
    ns1.djsuperstore.ro.    40475   IN      A       85.9.22.129
    ns2.djsuperstore.ro.    40475   IN      A       85.9.22.129
    
    ;; Query time: 1 msec
    ;; SERVER: 193.226.128.1#53(193.226.128.1)
    ;; WHEN: Tue Feb 10 14:06:17 2009
    ;; MSG SIZE  rcvd: 279
    
    dig on nights.ro domain has diff txt cause is not updated yet. (and it is a key previously created). Let's refer to djsuperstore.ro only.

    I am doing something wrong ? Why is this not working ?
     
  2. topdog

    topdog Active Member HowtoForge Supporter

    You need to use the same key for all the domains. As for the error in the log, the milter is not running that is why postfix cannot connect to it. You need to check and see why the milter is not running.
     
  3. ladduro

    ladduro New Member

    The milter is running:

    Code:
    service dk-milter status
    dk-filter (pid 11515) is running...
    
    and
    
     ps aux|grep milter
    dk-milt  11515  0.0  0.0  15488   856 ?        Ssl  13:07   0:00 /usr/sbin/dk-filter -u dk-milt -p local:/var/run/dk-milter/dk.sock -d nights.ro,djsuperstore.ro -s /etc/mail/domainkeys/dk_key.pem -S default -b sv -c simple -C bad=r,dns=t,int=t,no=a,miss=r -h -l -D -P /var/run/dk-filter0.pid
    
    As you can see the process is up and running. The problem is not here i'm afraid.
     
  4. topdog

    topdog Active Member HowtoForge Supporter

    have u checked selinux ?
     
  5. ladduro

    ladduro New Member

    selinux is disabled.

    I have to mention that postfix running under user and group postfix. it is correct to leave this like that :

    MILTER_GROUP="mail"
     
  6. topdog

    topdog Active Member HowtoForge Supporter

    No in that case you need to change the MILTER_GROUP to postifx
     
  7. ladduro

    ladduro New Member

    thnk you very much for you support. I manage to resolve it my using inet socket. Changing MILTER_GROUP does not work

    Regards.
     
  8. codechump

    codechump New Member

    could you please explain how you managed to 'resolve it my using inet socket'? I think I'm having the same problem, but don't follow what you did to resolve it.

    thanks...
     
  9. topdog

    topdog Active Member HowtoForge Supporter

    he means you need to run it using tcp not via a unix socket.

    Code:
    inet:localhost:2020
    for postfix

    and

    Code:
    inet:[email protected]
    for the milter
     
  10. ladduro

    ladduro New Member

    in /etc/sysconfig/dk-milter

    Code:
    PORT="inet:[email protected]_ip"
    
    in /etc/postfix/main.cf
    Code:
    smtpd_milters = inet:public_ip:10035
    non_smtpd_milters = inet:public_ip:10035
    
    Is not working with localhost nor 127.0.0.1

    Regards
     
  11. topdog

    topdog Active Member HowtoForge Supporter

    No a good choice binding to the public ip address, it should work binding to the localhost.
     
  12. ladduro

    ladduro New Member

    as i said is not working with localhost or loopback. I do not jnow why but i receive some errors.

    i do not have the errors and I can not revert to post them here

    sorry
     
  13. codechump

    codechump New Member

    I get an error smfi_opensocket() failed if I try to bind to the public IP

    Running as localhost is not working either!!! I get a message in the /var/log/maillog file during sending email (from a client to relay through postfix) saying '...external host ??? attempted to send as <mydomain>.com

    The email still goes through but unsigned.... I've been trying to get this going for days now! Maybe somethings not quite right in my main.cf and dk-milter doesn't like it?
     
  14. codechump

    codechump New Member

    Finally it's working!!!

    Here's the fix if it might help anyone. My unique case is that the client isn't 'authenticating' to relay mail via SMTP, instead their IP address is 'white listed' by being included in main.cf.

    This works fine for Postfix, however dk-milter doesn't like this! I found someone who'd had a similar problem with a dkim implementation.

    The solution was to let dk-milter know the IP address as well. In /etc/sysconfig/dk-milter modify the line as follows:
    EXTRA_ARGS="-h -l -D -i /etc/postfix/internal_hosts"

    In the text file 'internal_hosts', you can add 127.0.0.1, the machine's IP and the remote client's IP address as a list of IPs on separate lines.

    Following a proper 'restart' of Postfix/dk-milter, dk-milter now sees the client as a trusted local IP and will sign the email. I hope nobody else suffers likes this!
     
  15. robfelty

    robfelty New Member

    getting permission denied problem with dkim-milter

    I have had dkim milter running with postfix just fine since last August or so on Fedora 9. Yesterday I upgraded dkim-milter to 2.8.1 and postfix to 2.5.6, and now I am suddenly getting permission denied errors when I try to use dkim-milter.

    I have the following lines in my postfix main.cf file:
    Code:
    smtpd_milters = unix:/var/run/dkim-milter/dkim-milter.sock
    non_smtpd_milters = unix:/var/run/dkim-milter/dkim-milter.sock
    My dkim-milter config (in /etc/sysconfig/dkim-milter)
    Code:
    # To sign only, use -bs
    # EXTRA_FLAGS=-bs
    USER="dkim-milter"
    PORT="local:/var/run/dkim-milter/dkim-milter.sock"
    #PORT="inet:[email protected]"
    SIGNING_DOMAIN="kibotzer.com,yootles.com"
    SELECTOR_NAME="default"
    KEYFILE="/etc/mail/dkim-milter/keys/${SIGNING_DOMAIN}_${SELECTOR_NAME}.key.pem"
    SIGNER=yes
    VERIFIER=yes
    CANON=simple
    SIGALG=rsa-sha1
    REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
    #REJECTION="bad=r,dns=t,int=t,no=a"
    EXTRA_ARGS="-h -l -D"
    #MILTER_GROUP="mail"
    
    My maillog gives me the following error:
    Code:
    Apr 14 17:54:26 kibotzer postfix/smtpd[16891]: warning: connect to Milter service unix:/var/run/dkim-milter/dkim-milter.sock: Permission denied
    
    Here are the default permissions that dkim-milter uses for the socket file:
    Code:
    srwxrwxr-x 1 dkim-milter dkim-milter 0 2009-04-14 20:00 dkim-milter.sock
    
    I have tried just about every combination of permissions and user and group for the sock file, and none seem to be working.

    I also tried using inet: instead of a socket, but I couldn't get that to work either. I added port 20209 to my iptables, but nmap doesn't list it as a known service.

    Any help would be much appreciated.

    Rob
     
  16. topdog

    topdog Active Member HowtoForge Supporter

    That is most likely selinux blocking access to the socket, check your audit log.
     
  17. robfelty

    robfelty New Member

    selinux is disabled

    Topdog,

    I disabled selinux altogether but still get the same error.

    Rob
     
  18. topdog

    topdog Active Member HowtoForge Supporter

    You milter is not running, have you checked that it actually is ? This is because there is a syntax change which removed the miss=r option.

    You need to remove that option and start the milter
     
  19. robfelty

    robfelty New Member

    got dkim-milter working

    Topdog,

    Thanks for your help. I did have the milter running fine, but it would break the mailserver, so I had to keep disabling it and try out some different options. I did get it to work eventually by adding the postfix user to the dkim-milter group. I think that I might have tried that before, but maybe selinux was still causing problems. I haven't tried turning selinux back on.

    Rob
     
  20. alxgomz

    alxgomz New Member

    If you want to use UNIX socket, don't forget postfix is a chrooted server!
    That's why it can't find your socket if it is not inside the jail.
    prefix the socket path with the chroot dir in your config files.
     

Share This Page