Saturday, September 16, 2017

Debian Stretch and opendkim: connection refused, no listener at port 8891

Debian stretch opendkim behaviour changed

opendkim fails to sign!

In a nutshell... if you face this:
postfix/submission/smtpd[17385]: warning: connect to Milter service inet:localhost:8891: Connection refused

and you cannot find a listener process at port 8891:
netstat -nltp | grep 8891
returns nothing,
and you find this in the /var/log/mail.log:
opendkim[18055]: OpenDKIM Filter v2.11.0 starting (args: -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock)
(which, by the way, explains the error...) and you have been checking /etc/opendkim.conf, and all other configuration files, and you are sure you have
Socket inet:8891@localhost

or
smtpd_milters = inet:127.0.0.1:8891
in your /etc/postfix/main.cf, rest assured, you're not alone.

opendkim.conf is ignored

Instead, edit /lib/systemd/system/opendkim.service:
# ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p inet:8891@localhost
Save the file, reload, and restart:
systemctl daemon-reload service opendkim restart
Now, you have a listener at port 8891...
Also, you will see this in mail.log:
OpenDKIM Filter v2.11.0 starting (args: -P /var/run/opendkim/opendkim.pid -p inet:8891@localhost)

Result

My SPF as well as DKIM are accepted by gmail:
ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@xxxxx header.s=mail header.b=h8Rqwad8; spf=pass (google.com: domain of frank@xxxxx designates 12.34.56.78 as permitted sender)

This took me a day, hope it will help someone.

No comments: