dk-milter with postfix and virtual domains not working

Discussion in 'Server Operation' started by ladduro, Feb 10, 2009.

  1. ladduro

    ladduro New Member


    I just followed the howto from HowtoForge about installing the dk-milter with postfix. Here is my configuration:

     cat /etc/sysconfig/dk-milter
    # Default values
    EXTRA_ARGS="-h -l -D"
     cat default.txt
    default._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMDAVuWTyhxGFfNA1AKYx79467stva1WPS9T85JwMVV7cgYHaLHUagW6W4itUn/Vz2yCxF7jnRgav//T1+Bxl/kCAwEAAQ==" ; ----- DomainKey default for
    and in zone:
    cat /var/named/chroot/var/named/data/
    default._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMDAVuWTyhxGFfNA1AKYx79467stva1WPS9T85JwMVV7cgYHaLHUagW6W4itUn/Vz2yCxF7jnRgav//T1+Bxl/kCAwEAAQ=="
    _domainkey IN TXT "t=y; o=~"
    Posting only the relevant part.

    In i have:
    smtpd_milters = unix:/var/run/dk-milter/dk.sock
    non_smtpd_milters = unix:/var/run/dk-milter/dk.sock
    And i maillog i receive the following error:

    Feb 10 12:04:30 ns1 postfix/smtpd[15689]: warning: connect to Milter service unix:/var/run/dk-milter/dk.sock: No such file or directory
    Feb 10 12:04:30 ns1 postfix/smtpd[15689]: NOQUEUE: milter-reject: CONNECT from unknown[]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
    Feb 10 12:04:30 ns1 postfix/smtpd[15689]: NOQUEUE: milter-reject: EHLO from unknown[]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
    Feb 10 12:04:30 ns1 postfix/smtpd[15689]: NOQUEUE: milter-reject: MAIL from unknown[]: 451 4.7.1 Service unavailable - try again later; proto=ESMTP helo=<>
    As you can see the file exists:
    ls -la /var/run/dk-milter/
    total 20
    drwxrwx---  2 dk-milt mail 4096 Feb 10 13:07 .
    drwxr-xr-x 29 root    root 4096 Feb 10 13:10 ..
    srwxrwx---  1 dk-milt mail    0 Feb 10 13:07 dk.sock
    And also txt dig for domain is correct:
     dig TXT
    ; <<>> DiG 9.3.4-P1 <<>> TXT
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53014
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
    ; IN TXT
    ;; ANSWER SECTION: 39615 IN TXT "g=\; k=rsa\; t=y\; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMDAVuWTyhxGFfNA1AKYx79467stva1WPS9T85JwMVV7cgYHaLHUagW6W4itUn/Vz2yCxF7jnRgav//T1+Bxl/kCAwEAAQ=="
    ;; AUTHORITY SECTION:        38839   IN      NS        38839   IN      NS
    ;; ADDITIONAL SECTION:    40475   IN      A    40475   IN      A
    ;; Query time: 1 msec
    ;; SERVER:
    ;; WHEN: Tue Feb 10 14:06:17 2009
    ;; MSG SIZE  rcvd: 279
    dig on domain has diff txt cause is not updated yet. (and it is a key previously created). Let's refer to only.

    I am doing something wrong ? Why is this not working ?
  2. topdog

    topdog Active Member

    You need to use the same key for all the domains. As for the error in the log, the milter is not running that is why postfix cannot connect to it. You need to check and see why the milter is not running.
  3. ladduro

    ladduro New Member

    The milter is running:

    service dk-milter status
    dk-filter (pid 11515) is running...
     ps aux|grep milter
    dk-milt  11515  0.0  0.0  15488   856 ?        Ssl  13:07   0:00 /usr/sbin/dk-filter -u dk-milt -p local:/var/run/dk-milter/dk.sock -d, -s /etc/mail/domainkeys/dk_key.pem -S default -b sv -c simple -C bad=r,dns=t,int=t,no=a,miss=r -h -l -D -P /var/run/
    As you can see the process is up and running. The problem is not here i'm afraid.
  4. topdog

    topdog Active Member

    have u checked selinux ?
  5. ladduro

    ladduro New Member

    selinux is disabled.

    I have to mention that postfix running under user and group postfix. it is correct to leave this like that :

  6. topdog

    topdog Active Member

    No in that case you need to change the MILTER_GROUP to postifx
  7. ladduro

    ladduro New Member

    thnk you very much for you support. I manage to resolve it my using inet socket. Changing MILTER_GROUP does not work

  8. codechump

    codechump New Member

    could you please explain how you managed to 'resolve it my using inet socket'? I think I'm having the same problem, but don't follow what you did to resolve it.

  9. topdog

    topdog Active Member

    he means you need to run it using tcp not via a unix socket.

    for postfix


    inet:[email protected]
    for the milter
  10. ladduro

    ladduro New Member

    in /etc/sysconfig/dk-milter

    PORT="inet:[email protected]_ip"
    in /etc/postfix/
    smtpd_milters = inet:public_ip:10035
    non_smtpd_milters = inet:public_ip:10035
    Is not working with localhost nor

  11. topdog

    topdog Active Member

    No a good choice binding to the public ip address, it should work binding to the localhost.
  12. ladduro

    ladduro New Member

    as i said is not working with localhost or loopback. I do not jnow why but i receive some errors.

    i do not have the errors and I can not revert to post them here

  13. codechump

    codechump New Member

    I get an error smfi_opensocket() failed if I try to bind to the public IP

    Running as localhost is not working either!!! I get a message in the /var/log/maillog file during sending email (from a client to relay through postfix) saying '...external host ??? attempted to send as <mydomain>.com

    The email still goes through but unsigned.... I've been trying to get this going for days now! Maybe somethings not quite right in my and dk-milter doesn't like it?
  14. codechump

    codechump New Member

    Finally it's working!!!

    Here's the fix if it might help anyone. My unique case is that the client isn't 'authenticating' to relay mail via SMTP, instead their IP address is 'white listed' by being included in

    This works fine for Postfix, however dk-milter doesn't like this! I found someone who'd had a similar problem with a dkim implementation.

    The solution was to let dk-milter know the IP address as well. In /etc/sysconfig/dk-milter modify the line as follows:
    EXTRA_ARGS="-h -l -D -i /etc/postfix/internal_hosts"

    In the text file 'internal_hosts', you can add, the machine's IP and the remote client's IP address as a list of IPs on separate lines.

    Following a proper 'restart' of Postfix/dk-milter, dk-milter now sees the client as a trusted local IP and will sign the email. I hope nobody else suffers likes this!
  15. robfelty

    robfelty New Member

    getting permission denied problem with dkim-milter

    I have had dkim milter running with postfix just fine since last August or so on Fedora 9. Yesterday I upgraded dkim-milter to 2.8.1 and postfix to 2.5.6, and now I am suddenly getting permission denied errors when I try to use dkim-milter.

    I have the following lines in my postfix file:
    smtpd_milters = unix:/var/run/dkim-milter/dkim-milter.sock
    non_smtpd_milters = unix:/var/run/dkim-milter/dkim-milter.sock
    My dkim-milter config (in /etc/sysconfig/dkim-milter)
    # To sign only, use -bs
    # EXTRA_FLAGS=-bs
    #PORT="inet:[email protected]"
    EXTRA_ARGS="-h -l -D"
    My maillog gives me the following error:
    Apr 14 17:54:26 kibotzer postfix/smtpd[16891]: warning: connect to Milter service unix:/var/run/dkim-milter/dkim-milter.sock: Permission denied
    Here are the default permissions that dkim-milter uses for the socket file:
    srwxrwxr-x 1 dkim-milter dkim-milter 0 2009-04-14 20:00 dkim-milter.sock
    I have tried just about every combination of permissions and user and group for the sock file, and none seem to be working.

    I also tried using inet: instead of a socket, but I couldn't get that to work either. I added port 20209 to my iptables, but nmap doesn't list it as a known service.

    Any help would be much appreciated.

  16. topdog

    topdog Active Member

    That is most likely selinux blocking access to the socket, check your audit log.
  17. robfelty

    robfelty New Member

    selinux is disabled


    I disabled selinux altogether but still get the same error.

  18. topdog

    topdog Active Member

    You milter is not running, have you checked that it actually is ? This is because there is a syntax change which removed the miss=r option.

    You need to remove that option and start the milter
  19. robfelty

    robfelty New Member

    got dkim-milter working


    Thanks for your help. I did have the milter running fine, but it would break the mailserver, so I had to keep disabling it and try out some different options. I did get it to work eventually by adding the postfix user to the dkim-milter group. I think that I might have tried that before, but maybe selinux was still causing problems. I haven't tried turning selinux back on.

  20. alxgomz

    alxgomz New Member

    If you want to use UNIX socket, don't forget postfix is a chrooted server!
    That's why it can't find your socket if it is not inside the jail.
    prefix the socket path with the chroot dir in your config files.

Share This Page