Description of problem: To make dkim-milter work with postfix the postfix user must be added to the dkim-milter group and the dkim-milter.sock file must be chmoded to 775. The problem is that when the dkim-milter service is restarted it restores the socket file to 755 breaking postfix. Version-Release number of selected component (if applicable): dkim-milter-2.8.3-2.el5.x86_64.rpm How reproducible: Restart dkim-milter service Actual results: Postfix can't send emails as is has no write permission on the socket file Expected results: Postfix should send signed mails
Which version of postfix are you using? Are you running it chrooted? > dkim-milter-2.8.3-2.el5.x86_64.rpm Is there some reason you are not using the latest (dkim-milter-2.8.3-3.el5)? It has changes related to the ownership of the dkim-milter socket. Please try that and report back.
(In reply to comment #1) > > dkim-milter-2.8.3-2.el5.x86_64.rpm > > Is there some reason you are not using the latest (dkim-milter-2.8.3-3.el5)? Just because I don't have the testing repository (where it is now) enabled. > It has changes related to the ownership of the dkim-milter socket. Please try > that and report back. I will try it and report back.
Tried the new rpm and still the socket file permission is restored to 755 after a restart.
Created attachment 400263 [details] Patch for dkim-milter init script (prevents overriding of Socket setting)
You could fix this easily by changing the Socket setting in your dkim-filter.conf file to use a network interface instead ("inet:20209@localhost"), except that the init script overrides this setting. I've included a patch (above) to fix that. Alternatively, here's a workaround to fix the problem while still using the socket file: Edit /etc/postfix/main.cf with the following: mail_owner = dkim-milter smtpd_milters = unix:/var/run/dkim-milter/dkim-milter.sock non_smtpd_milters = unix:/var/run/dkim-milter/dkim-milter.sock (You likely already have those last two lines in there.) Then change the permissions in the spool directory: # find /var/spool/postfix/* -wholename '*/pid' -prune -o -print |\ xargs chown -R dkim-milter Restart Postfix and you should be set. Dave Hensley iEntry, Inc.
Option #1: I don't mind the idea of removing the socket setting from the init script in principle if we add the current setting to the default config file, except that this would break the setups of people who have edited their conf file and forget or neglect to merge the latest changes from the newly created .rpmsave file after an update. If you have a suggestion for how to deal with this, I'm all ears. Option #2: Instead you could echo SOCKET= >> /etc/sysconfig/dkim-milter but that would leave an empty -p option. This could be fixed in the init script easily. Option #3: Changing the umask in the conf file? UMask 002 This may tell dkim-filter to create the socket with the permissions postfix expects. Could one of you try this?
Option #3 worked for me. I'd imagine that the umask setting affects other files in addition to the socket, so I'm not sure what the ramifications of changing this might be (if any). Thank you for that suggestion. But obviously, this still doesn't allow me to use a network interface, which is how I tried to set it up in the first place (and what I, and many other users I think, would prefer). It's bad that the Socket option in the config file doesn't actually do anything. I'm setting up a few of these servers to send a lot of mail for my company, and it'd be nice to be able to split the postfix/dkim-milter workload onto separate machines (i.e. to have one box running dkim-milter that receives connections from several MTAs). Option #2 is a good start... maybe it would be a good idea to have the init script check the /etc/sysconfig/dkim-milter file for a "don't override my config file" option (which would disable -p), and then add a comment to the default dkim-filter.conf file (right above the Socket option) that explains this process to admins doing fresh installs. Dave Hensley iEntry, Inc.
I have moved the default setting of the "Socket" option to the config file and added backwards compatible support to the initscript to fall back to setting the socket itself if it's not already set in the sysconfig file or the conf file. As to the main point of this bug report, I think we should set the default UMask setting to 002 for postfix. We run as dkim-milter:dkim-milter by default, so user and group permissions should be equivalent AFAICT and sendmail didn't complain in my testing. I would also be happy to put postfix into the dkim-milter group by default as well, but I'm not sure how to ensure that the user "postfix" is the one from the postfix package. FWIW, with the latest shipping rpm you *can* do echo SOCKET=inet:20209@localhost >> /etc/sysconfig/dkim-milter but this should all be fixed by the next build.
This is the diff from the dkim-milter.x86_64 2.8.3-4.el5 init script that I must apply to make it work for me: --- dkim-milter~ 2009-09-12 22:56:51.000000000 +0000 +++ dkim-milter 2010-04-03 12:16:04.000000000 +0000 @@ -25,12 +25,14 @@ [ -r /etc/sysconfig/${name} ] && . /etc/sysconfig/${name} start() { + chmod 710 /var/run/${name} echo -n "Starting ${desc} (${prog}): " daemon --user ${user} ${prog_with_path} -x ${config} -P ${pidfile} -p ${SOCKET} ${EXTRA_FLAGS} RETVAL=$? echo if [ ${RETVAL} -eq 0 ]; then touch /var/lock/subsys/${name} + chmod 770 /var/run/${name}/${name}.sock return 0 else return 1
This package has been retired. Please use opendkim instead.