Search code examples
socketspostfix-mtadkim

How to use opendkim socket in 2 postfix instances?

I have 2 postfix instaces running, and i want to sign emails with opendkim, but the issue is i am not able to use same socket in both instances, code is below

/etc/default/opendkim

SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"
SOCKET="local:/var/spool/postfix-2/opendkim/opendkim.sock"

/etc/postfix/main.cf

smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock

/etc/postfix-2/main.cf

smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock

please help me!

Solution

  • OpenDKIM will only use one UNIX socket. You can't specify multiple UNIX sockets as you have above.

    Option 1

    Create the socket file somewhere else e.g. SOCKET="local:/var/run/opendkim/opendkim.sock". Make sure both instances of Postfix have permissions to access this file, through membership of the opendkim group or otherwise.

    Create an opendkim directory in the chroot jail for each instance of Postfix: 

    mkdir /var/spool/postfix/opendkim/
mkdir /var/spool/postfix-2/opendkim/

    Bind mount the directory that contains the socket file to each of the directories in the postfix chroot jails.

    mount --bind /var/run/opendkim/ /var/spool/postfix/opendkim/
mount --bind /var/run/opendkim/ /var/spool/postfix-2/opendkim/

    Both instances of Postfix should now have access to the same socket file, mounted within their own directories. If that is now working you'll want to add entries to /etc/fstab so that this mounting happens on every boot.

    /var/run/opendkim/ /var/spool/postfix/opendkim none defaults,bind 0 0
/var/run/opendkim/ /var/spool/postfix-2/opendkim none defaults,bind 0 0

    Option 2

    Use a TCP/IP port instead of a unix socket for communication between Postfix and OpenDKIM e.g. SOCKET="inet:8891@localhost".

    Change your Postfix main.cf files to use this TCP/IP socket:

    smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

    If Postfix can't connect then you may need to adjust your firewall to allow this connection.

    If your outgoing mail is not being signed then you may need to add the following lines to opendkim.conf:

    InternalHosts           /etc/opendkim/TrustedHosts
ExternalIgnoreList      /etc/opendkim/TrustedHosts

    Create this TrustedHosts file and list every IP address and hostname that Postfix might use when connecting to OpenDKIM, e.g.:

    127.0.0.1
::1
localhost
hostname.example.com
example.com

    This list identifies which hosts mail should be signed for, as opposed to external mail which should have any signatures verified.