Fedora 38 fully updated. It seems that one of the updates broke this. Unable to send emails. SElinux does not show any problems. Tried reinstalling opendkim [root@mail ~]# ls -l /tmp total 28 -rw-------. 1 root root 661 Apr 13 17:04 sorteFC4i1 -rw-------. 1 root root 0 Apr 13 17:04 sorthW1IJs -rw-------. 1 root root 771 Apr 13 17:04 sortIFfFPm -rw-------. 1 root root 659 Apr 13 17:04 sortJwNFsp -rw-------. 1 root root 712 Apr 13 17:04 sortLHMfdE -rw-------. 1 root root 2293 Apr 13 17:04 sortlI0g95 -rw-------. 1 root root 868 Apr 13 17:04 sortlL22Y5 -rw-------. 1 root root 873 Apr 13 17:04 sortVfTd0u drwx------. 2 root root 60 Apr 13 13:47 ssh-XXXXXX1nhbeK drwx------. 3 root root 60 Apr 13 13:42 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-chronyd.service-KzYMl5 drwx------. 3 root root 60 Apr 13 13:47 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-cockpit.service-82Vb4b drwx------. 3 root root 60 Apr 13 13:42 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-dbus-broker.service-N6HSMv drwx------. 3 root root 60 Apr 13 13:42 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-dovecot.service-9aalS0 drwx------. 3 root root 60 Apr 13 13:42 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-mariadb.service-aBLsBf drwx------. 3 root root 60 Apr 13 13:42 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-nginx.service-G9vzjK drwx------. 3 root root 60 Apr 13 13:42 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-php-fpm.service-SnQwGr drwx------. 3 root root 60 Apr 13 13:42 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-postfix.service-UGTuR6 drwx------. 3 root root 60 Apr 13 13:47 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-reportd.service-LVmWCU drwx------. 3 root root 60 Apr 13 13:42 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-systemd-logind.service-idWuh2 drwx------. 3 root root 60 Apr 13 13:42 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-systemd-oomd.service-pmzlc9 drwx------. 3 root root 60 Apr 13 13:42 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-systemd-resolved.service-Ri5ovL drwx------. 3 root root 60 Apr 13 13:47 systemd-private-794ed7cd8cc54a7187f0a2ac18cf4c77-systemd-timedated.service-p8ipaX [root@mail ~]# cat /etc/opendkim.conf ## BASIC OPENDKIM CONFIGURATION FILE ## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more ## BEFORE running OpenDKIM you must: ## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM ## - generate keys for your domain (if signing) ## - edit your DNS records to publish your public keys (if signing) ## See /usr/share/doc/opendkim/INSTALL for detailed instructions. ## DEPRECATED CONFIGURATION OPTIONS ## ## The following configuration options are no longer valid. They should be ## removed from your existing configuration file to prevent potential issues. ## Failure to do so may result in opendkim being unable to start. ## ## Removed in 2.10.0: ## AddAllSignatureResults ## ADSPAction ## ADSPNoSuchDomain ## BogusPolicy ## DisableADSP ## LDAPSoftStart ## LocalADSP ## NoDiscardableMailTo ## On-PolicyError ## SendADSPReports ## UnprotectedPolicy ## CONFIGURATION OPTIONS ## Specifies the path to the process ID file. PidFile /run/opendkim/opendkim.pid ## Selects operating modes. Valid modes are s (sign) and v (verify). Default is v. ## Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing ## messages. Mode sv ## Log activity to the system log. Syslog yes ## Log additional entries indicating successful signing or verification of messages. SyslogSuccess yes ## If logging is enabled, include detailed logging about why or why not a message was ## signed or verified. This causes an increase in the amount of log data generated ## for each message, so set this to No (or comment it out) if it gets too noisy. LogWhy yes ## Attempt to become the specified user before starting operations. UserID opendkim:postfix ## Create a socket through which your MTA can communicate. Socket local:/run/opendkim/opendkim.sock ## Required to use local socket with MTAs that access the socket as a non- ## privileged user (e.g. Postfix) Umask 002 ## This specifies a text file in which to store DKIM transaction statistics. ## OpenDKIM must be manually compiled with --enable-stats to enable this feature. # Statistics /var/spool/opendkim/stats.dat ## Specifies whether or not the filter should generate report mail back ## to senders when verification fails and an address for such a purpose ## is provided. See opendkim.conf(5) for details. SendReports yes ## Specifies the sending address to be used on From: headers of outgoing ## failure reports. By default, the e-mail address of the user executing ## the filter is used (executing_user@hostname). # ReportAddress "Example.com Postmaster" <postmaster> ## Add a DKIM-Filter header field to messages passing through this filter ## to identify messages it has processed. SoftwareHeader yes ## SIGNING OPTIONS ## Selects the canonicalization method(s) to be used when signing messages. Canonicalization relaxed/relaxed ## Domain(s) whose mail should be signed by this filter. Mail from other domains will ## be verified rather than being signed. Uncomment and use your domain name. ## This parameter is not required if a SigningTable is in use. # Domain example.com ## Defines the name of the selector to be used when signing messages. Selector mail ## Specifies the minimum number of key bits for acceptable keys and signatures. MinimumKeyBits 2048 ## Gives the location of a private key to be used for signing ALL messages. This ## directive is ignored if KeyTable is enabled. KeyFile /etc/opendkim/keys/default.private ## Gives the location of a file mapping key names to signing keys. In simple terms, ## this tells OpenDKIM where to find your keys. If present, overrides any KeyFile ## directive in the configuration file. Requires SigningTable be enabled. KeyTable /etc/opendkim/KeyTable ## Defines a table used to select one or more signatures to apply to a message based ## on the address found in the From: header field. In simple terms, this tells ## OpenDKIM how to use your keys. Requires KeyTable be enabled. SigningTable refile:/etc/opendkim/SigningTable ## Identifies a set of "external" hosts that may send mail through the server as one ## of the signing domains without credentials as such. #ExternalIgnoreList refile:/etc/opendkim/TrustedHosts ## Identifies a set "internal" hosts whose mail should be signed rather than verified. #InternalHosts refile:/etc/opendkim/TrustedHosts ## Contains a list of IP addresses, CIDR blocks, hostnames or domain names ## whose mail should be neither signed nor verified by this filter. See man ## page for file format. # PeerList X.X.X.X ## Always oversign From (sign using actual From and a null From to prevent ## malicious signatures header fields (From and/or others) between the signer ## and the verifier. From is oversigned by default in the Fedora package ## because it is often the identity key used by reputation systems and thus ## somewhat security sensitive. OversignHeaders From ## Instructs the DKIM library to maintain its own local cache of keys and ## policies retrieved from DNS, rather than relying on the nameserver for ## caching service. Useful if the nameserver being used by the filter is ## not local. # QueryCache yes
Yeah, same here. Also: /usr/lib/systemd/system/opendkim.service:22: ReadWritePaths= path is not absolute, ignoring: @logdir@/opendkim: 11 Time(s) I worked around all this by using this in /etc/systemd/system/opendkim.conf.d/opendkim.conf: [Service] ReadWritePaths=/run/dkim-milter/opendkim /tmp PS. I run a milter setup, ergo that extra directory.
Indeed, this is broken. Thanks for the bug report. As a temporary fix, please do the following and report success/failure: # cp /usr/lib/systemd/system/opendkim.service /etc/systemd/system/ # sed -i -e '/ProtectSystem/d' -e '/ProtectHome/d' -e '/ReadWritePaths/d' /etc/systemd/system/opendkim.service # systemctl daemon-reload # systemctl restart opendkim I'll submit an update that accomplishes these. Once you've installed that update, remove /etc/systemd/system/opendkim.service and systemctl daemon-reload again. Thanks, Matt
It looks like I only pushed broken builds to F38 and rawhide. I've got packages built for F37, 38, rawhide, epel8, and epel9. This would cleanly solve the PID race because it uses the systemd type=simple. F36 goes EOL in 30 days, I don't think it's worth upgrading it. I've tested the new package on epel8 and it works as expected. Please advise as to your own tests. F39 https://koji.fedoraproject.org/koji/buildinfo?buildID=2187753 F38 https://koji.fedoraproject.org/koji/buildinfo?buildID=2187807 F37 https://koji.fedoraproject.org/koji/buildinfo?buildID=2187805 EL9 https://koji.fedoraproject.org/koji/buildinfo?buildID=2187804 EL8 https://koji.fedoraproject.org/koji/buildinfo?buildID=2187806
FEDORA-2023-fd86a833b6 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-fd86a833b6
FEDORA-EPEL-2023-e8c7feeb3a has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e8c7feeb3a
FEDORA-EPEL-2023-feb4530d88 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-feb4530d88
FEDORA-2023-fd86a833b6 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-fd86a833b6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-fd86a833b6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2023-e8c7feeb3a has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e8c7feeb3a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2023-feb4530d88 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-feb4530d88 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-4730d0dab1 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4730d0dab1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4730d0dab1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Fix works for me. Thank you for your quick resolution. Im surprised that this fix is still not in main repository as without it email does not work. Out of curiosity how long does it usually take for the bug fix to hit the main repository? Thank you for your help in resolving this,
*** Bug 2189113 has been marked as a duplicate of this bug. ***
Fedora Updates generally take 1 week, EPEL updates 2 weeks, unless the update receives +3 karma from testers before that.
FEDORA-2023-fd86a833b6 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-4730d0dab1 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2023-e8c7feeb3a has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2023-feb4530d88 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
Thank you Matt for explanation and the fix!