Closed davordragic closed 1 year ago
Hmm could it be as simple as OPENDKIM_KEY_TABLE
should be OPENDKIM_KeyTable
? Maybe also OPENDKIM_ Selector
. It's a bit confusing OPENDKIM_DOMAINS
is treated differently, all the other gets written as is to config.
Thank you for fast response. I have changed the line in docker-compose.yml
postfix:
image: mwader/postfix-relay
restart: unless-stopped
volumes:
- ./env/postfix/dkim/:/etc/opendkim/keys/
environment:
- POSTFIX_myhostname=${HOSTNAME}
- OPENDKIM_DOMAINS=mydomain.com=vps
- OPENDKIM_SELECTOR=vps
- OPENDKIM_KeyTable=vps._domainkey.mydomain.com:default:/etc/opendkim/keys/mydomain.com/vps.private
Now I get new error:
$ docker compose logs -f postfix
**hostname**-postfix-1 | DNS records:
**hostname**-postfix-1 | vps._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; p=******" )
**hostname**-postfix-1 | opendkim: /etc/opendkim.conf: vps._domainkey.mydomain.com:default:/etc/opendkim/keys/mydomain.com/vps.private: dkimf_db_open(): Unknown database type
**hostname**-postfix-1 | Starting OpenDKIM: Starting Postfix Mail Transport Agent: postfix.
**hostname**-postfix-1 | 2023-05-09T15:06:49.783629+00:00 47692a7af8a8 rsyslogd: [origin software="rsyslogd" swVersion="8.1901.0" x-pid="141" x-info="https://www.rsyslog.com"] start
I'll do quick test if maybe DKIM signature is attached to email.
EDIT: DKIM signature still not in email.
No idea if connected, but found one more warning in log
warning: connect to Milter service inet:localhost:12301: Cannot assign requested address
Haven't seen those messages before. But change OPENDKIM_SELECTOR
to `OPENDKIM_Selector, that looks wrong. If possible can you clear all data and regenerate new signature and files?
It's been a while since i poked around with OpenDKIM so don't remember much :)
I have changed selector, but this did not fix missing dkim. Will generate new signature, to see if that might help.
EDIT: Generated new signture, still no dkim signature in email.
I have no idea how dkim works, but should there be a dkim as process?
root@dbf2ba75c72e:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 3736 2804 ? Ss May09 0:00 /bin/bash /root/run
root 140 0.0 0.1 43500 7820 ? Ss May09 0:00 /usr/lib/postfix/sbin/master
root 141 0.0 0.0 154136 3436 ? Sl May09 0:00 rsyslogd -n
postfix 145 0.0 0.1 43572 7924 ? S May09 0:00 qmgr -l -t unix -u
postfix 160 0.0 0.1 43520 7924 ? S 16:34 0:00 pickup -l -t unix -u -c
postfix 1025 0.0 0.1 43704 7956 ? S 16:40 0:00 tlsmgr -l -t unix -u -c
root 1040 0.3 0.0 3868 3276 pts/0 Ss 16:48 0:00 bash
root 1047 0.0 0.0 7640 2744 pts/0 R+ 16:48 0:00 ps aux
root@dbf2ba75c72e:/# service opendkim status [FAIL] opendkim is not running ... failed! root@dbf2ba75c72e:/# service opendkim start Starting OpenDKIM: opendkim: /etc/opendkim.conf: vps._domainkey.**.si:default:/etc/opendkim/keys/**.si/vps.private: dkimf_db_open(): Unknown database type root@dbf2ba75c72e:/# cat /etc/opendkim/SigningTable *@**.si vps._domainkey.**.si root@dbf2ba75c72e:/# opendkim -x /etc/opendkim.conf -f -v opendkim: /etc/opendkim.conf: vps._domainkey.**.si:default:/etc/opendkim/keys/**.si/vps.private: dkimf_db_open(): Unknown database type
Yes i think there should be opendkim process. Could you have a look at that database file? and that database was created by the run script and did not exist on the volume before starting the container?
I have tried both ways. Creating certificates by myself and mounting it and second genereting with run script. In between I did destroy postfix docker image, because I notice volume on /etc/opendkim/keys
Could you exec into the container and make sure it's the same database file as the one you volume mount in from the host? i've experience before that docker-compose can play tricks on you with Dockerfile VOLUMES
surviving between containers.
I have removed volume mount in docker compose. Did docker compose rm postfix. Run new container without a volume in compose.
New certificated has been generated, but still same error. File inside docker container is in proper location and thats /etc/opendkim/keys/domain.com/vps.private
Had a look inside one postfix-relay container that i've had running for a long while:
root@f77e3489d65e:/etc/opendkim/keys/<DOMAIN># cat mail.private
-----BEGIN RSA PRIVATE KEY-----
<REMOVED base64>
-----END RSA PRIVATE KEY-----
root@f77e3489d65e:/etc/opendkim/keys/<DOMAIN># cat mail.txt
mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwMXuXr/edueQ9PKPFOJETXkHcbxpdc9++J/uKTNT8njPbx0wxJ5mwy7EkY61++w8z2Bbt/MsGAavNz8ENchA7cY3REr2cFc/wGKRXD8HEn47PhHvWsrSw2zQWej/pBjh7cEpTmLm7HFTso1axPqsM47qODn7HSKzq8C14IOH2ZHiUKe3c9n35D7M2kaeKjZKT2iqsnpbLTYSsl"
"KttAkUyyvQ3fJifkorxUIqco+rDdy6CgUnkcgMXlvLUBgCxEgvm99cdodkuphJQfWCPAyEU4N9tJey0XbY746nSuEh9v2gFlKfUDCElgAn4YpZKFYsrFGRKWTm4T6XfZGLDAqQ8QIDAQAB" ) ; ----- DKIM key mail for <DOMAIN>
But reading http://www.opendkim.org/opendkim.conf.5.html it get a feeling KeyTable
should be a path to a file containing mapping and not the mapping itself?
I have removed selector and keytable from variables
root@1c1270b63b6c:/# service opendkim status
[FAIL] opendkim is not running ... failed!
root@1c1270b63b6c:/# service opendkim start
Starting OpenDKIM: opendkim.
root@1c1270b63b6c:/# service opendkim status
[FAIL] opendkim is not running ... failed!
root@1c1270b63b6c:/# opendkim -x /etc/opendkim.conf -f -v
opendkim: smfi_opensocket() failed```
https://github.com/wader/postfix-relay/issues/63
Found one with same issue here, but solution he gave does not help me.
Additinaly private key generated has permissions 600 but should be 400 and I'm getting opendkim-testkey: key not secure
but changing to 400 does not fix this.
Regardless of all, I'm not able to start opendkim, always fails with smfi_opensocket() failed
https://github.com/wader/postfix-relay/blob/master/run#LL32C17-L32C17
This should be only u=r
Sorry not at computer. Btw what host OS is this? Maybe https://github.com/wader/postfix-relay#i-see-key-data-is-not-secure-etcopendkimkeys-can-be-read-or-written-by-other-users-error-messages can help if the volume causes the permissions to not be changeable
I'm trying on my laptop (macos) and server (debian). Same issue.
I don't think that a problem, because you have in you run script and you set u+rw permissions (600). This should be fixed in run script.
Anyway, this still does not fix issue with opendkim not wanting to start.
Yeap sounds resonable, send PR? So that is only a warning and not why it does not start?
This change does not fix non of 2 issues.
opendkim-testkey still reporting that key is unsecure (I'm not using any volume). and opendkim service does not want to start. If I manualy kill the process and remove pid, when I try to start the opendkim service I get no errors (only when manuly remove pid) but when I check service status it's failed.
Looks like something strange is going on with service process (opendkim) - can't explain better
Ah was the socket thing also
Issue with opendkim not starting can be reproduced simple with
docker run --name postfix_test -e OPENDKIM_DOMAINS=test.com -d mwader/postfix-relay
if I go into docker image docker exec -it postfix_test bash
and write service opendkim status
I get status failed.
Hmm could this be some regression after updating base image?
https://github.com/wader/postfix-relay/blob/master/run#LL32C17-L32C17
This should be only u=r
Requiring u=r
should not be necessary. From the OpenDKIM docs:
(4) Store the private key in a safe place. We generally use a path like /var/db/dkim/SELECTOR.key.pem (where "SELECTOR" is the name you chose). The /var/db/dkim directory and the associated .pem file should be owned by the user that will be executing the filter (preferably not the superuser) and be mode 0700 and 0600 respectively.
Hmm could this be some regression after updating base image?
I have tried few older images, even 1.0.1 and issue is the same. At this point, I have no idea what to check ...
Might be related to docker deamon updated? I'm using docker 23 tried on centos7 and 20.10.9, same issue
Strange, tried latest image with docker for mac, seem to work ok.
Will update docker and try also
Client:
Cloud integration: v1.0.31
Version: 20.10.23
API version: 1.41
Go version: go1.18.10
Git commit: 7155243
Built: Thu Jan 19 17:35:19 2023
OS/Arch: darwin/amd64
Context: default
Experimental: true
Server: Docker Desktop 4.17.0 (99724)
Engine:
Version: 20.10.23
API version: 1.41 (minimum version 1.12)
Go version: go1.18.10
Git commit: 6051f14
Built: Thu Jan 19 17:32:04 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.18
GitCommit: 2456e983eb9e37e47538f59ea18f2043c9a73640
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d
docker-init:
Version: 0.19.0
GitCommit: de40ad0
$ docker pull mwader/postfix-relay
Using default tag: latest
latest: Pulling from mwader/postfix-relay
Digest: sha256:7fa67408f57e707c1face317b56f4ba56008a168921ffde7dc272d0f44e76a34
Status: Image is up to date for mwader/postfix-relay:latest
docker.io/mwader/postfix-relay:latest
$ docker run -e OPENDKIM_DOMAINS=test.com mwader/postfix-relay
DNS records:
No DKIM private key found for selector 'mail' in domain 'test.com'. Generating one now...
mail._domainkey.test.com. IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52fqAKrTaZQK4th79LTvy7M8cuq2agKNgiEkw6FP8Cmh6yhNhu/pdTJ8l9nn4fGWYkblUS6rSnshYxWhZQspyISSlf7xxa6xxnuY1J1nr97cdgrdBsyNg67jmXpmu9B6aDSMyGlJeh6jNAcSxWJkNjUdKnHoQq1zPD7NkANFa0g/4wCpHZRZgLWPEyYYgNr2cM3Q+bf5TOzL2w"
"5RO5+UyKfD3WkQZIrZIDgk9PTdxlwjepTOCBLkjfpvuiKMLysZtinPNxA+80LBgol41h/GIsF+DJV/yRNUMtgf4u7D4zL2QlCe5ycbiDJp/PWa5JKAvHY6PZYIQhxXCDj/8coAMQIDAQAB" ) ; ----- DKIM key mail for test.com
Starting OpenDKIM: opendkim.
Starting Postfix Mail Transport Agent: postfix.
2023-05-10T19:51:42.000267+00:00 11d4254b4369 rsyslogd: [origin software="rsyslogd" swVersion="8.1901.0" x-pid="161" x-info="https://www.rsyslog.com"] start
^C
Stopping Postfix Mail Transport Agent: postfix2023-05-10T19:51:50.656847+00:00 11d4254b4369 postfix/master[159]: terminating on signal 15
.
Stopping OpenDKIM: No /usr/sbin/opendkim found running; none killed.
opendkim.
you wont see error there.
Run docker image in detached mode.
Enter container and type service opendkim status
Ah ok, weridly it seems opendkim is running and pid file seems ok but status fails:
root@18c234ebb012:/# cat /var/run/opendkim/opendkim.pid
39
root@18c234ebb012:/# ps axf
PID TTY STAT TIME COMMAND
166 pts/0 Ss 0:00 bash
260 pts/0 R+ 0:00 \_ ps axf
1 ? Ss 0:00 /bin/bash /root/run
39 ? Ssl 0:00 /usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid
159 ? Ss 0:00 /usr/lib/postfix/sbin/master
164 ? S 0:00 \_ pickup -l -t unix -u -c
165 ? S 0:00 \_ qmgr -l -t unix -u
161 ? Sl 0:00 rsyslogd -n
root@18c234ebb012:/# service opendkim status
[FAIL] opendkim is not running ... failed!
Tried to debug the status script a bit with sh -x
but got lost, maybe unrelated to your issue
Tried with latest docker stable (23.0.5), same as above, opendkim runs but status fails.
My main issue here is that I'm not getting dkim signature in mails. Now is this servise status related issue or not, no idea.
I'm trying to get dkim signature to emails sent with this postfix
After everythink, I did complety delete container and started again. Despite service status fail, it works and dkim is signed.
Will you have a look about service status issue or might give me some hints and I'll try to have a go.
Ok, great. Yeah will have a look but you can help out if you want of course. Maybe do sh -x /etc/init.d/opendkim status
and follow long in the script and see what it's going wrong.
Just for test, I have added on top of run command this:
#!/bin/bash
service opendkim start
sh -x /etc/init.d/opendkim status
results is this
Starting OpenDKIM: opendkim.
+ PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ DAEMON=/usr/sbin/opendkim
+ NAME=opendkim
+ DESC=OpenDKIM
+ stoptimeout=5
+ test -x /usr/sbin/opendkim
+ . /lib/lsb/init-functions
+ run-parts --lsbsysinit --list /lib/lsb/init-functions.d
+ [ -r /lib/lsb/init-functions.d/20-left-info-blocks ]
+ . /lib/lsb/init-functions.d/20-left-info-blocks
+ FANCYTTY=
+ [ -e /etc/lsb-base-logging.sh ]
+ true
+ [ -f /etc/default/opendkim ]
+ . /etc/default/opendkim
+ RUNDIR=/var/run/opendkim
+ SOCKET=local:/var/run/opendkim/opendkim.sock
+ USER=opendkim
+ GROUP=opendkim
+ PIDFILE=/var/run/opendkim/opendkim.pid
+ EXTRAAFTER=
+ USER=opendkim
+ GROUP=opendkim
+ PIDFILE=/var/run/opendkim/opendkim.pid
+ [ -f /etc/opendkim.conf ]
+ awk $1 == "Socket" { print $2 } /etc/opendkim.conf
+ CONFIG_SOCKET=inet:12301@localhost
+ [ -n local:/var/run/opendkim/opendkim.sock -a -z inet:12301@localhost ]
+ DAEMON_OPTS=-x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid
+ status /usr/sbin/opendkim opendkim
+ local pidfile daemon name status
+ pidfile=
+ OPTIND=1
+ getopts p: opt
+ shift 0
+ [ -n ]
+ daemon=/usr/sbin/opendkim
+ name=opendkim
+ status=0
+ pidofproc /usr/sbin/opendkim
+ local pidfile base status specified pid OPTIND
+ pidfile=
+ specified=
+ OPTIND=1
+ getopts p: opt
+ shift 0
+ [ 1 -ne 1 ]
+ base=opendkim
+ [ ! ]
+ pidfile=/var/run/opendkim.pid
+ [ -n /var/run/opendkim.pid ]
+ [ -e /var/run/opendkim.pid ]
+ [ -x /bin/pidof ]
+ [ ! ]
+ status=0
+ /bin/pidof -c -o %PPID -x /usr/sbin/opendkim
+ status=1
+ [ 1 = 1 ]
+ return 3
+ status=3
+ [ 3 = 0 ]
+ log_failure_msg opendkim is not running
+ [ -n opendkim is not running ]
+ log_begin_msg opendkim is not running ...
+ log_begin_msg_pre opendkim is not running ...
+ log_daemon_msg_pre opendkim is not running ...
+ log_use_fancy_output
+ TPUT=/usr/bin/tput
+ EXPR=/usr/bin/expr
+ [ -t 1 ]
+ FANCYTTY=0
+ false
+ [ -z opendkim ]
+ echo -n opendkim is not running ...
+ log_begin_msg_post opendkim is not running ...
+ :
+ log_end_msg 1
+ [ -z 1 ]
+ local retval
+ retval=1
+ log_end_msg_pre 1
+ log_use_fancy_output
+ TPUT=/usr/bin/tput
+ EXPR=/usr/bin/expr
+ [ -t 1 ]
+ FANCYTTY=0
+ false
+ log_use_fancy_output
+ TPUT=/usr/bin/tput
+ EXPR=/usr/bin/expr
+ [ -t 1 ]
+ FANCYTTY=0
+ false
+ RED=
+ YELLOW=
+ NORMAL=
+ [ 1 -eq 0 ]
+ [ 1 -eq 255 ]
+ /bin/echo -e failed!
opendkim is not running ... failed!
+ log_end_msg_post 1
+ :
+ return 1
+ true
+ exit 3
Stopping OpenDKIM: No /usr/sbin/opendkim found running; none killed.
opendkim.
an idea... since there are two service running in container, why not using supervisord? I might help with migration to supervisord docker setup.
Yes would be nicer i think and would be great if you would like look into it
Will have a look at it on weekend. Since this issue is resolved, I'll close the issue.
👍
I having issue with dkim configuration. Certificates were generated automaticly and save into pv. But on start of docker image, I see error
opendkim: /etc/opendkim.conf: configuration error at line 2: unrecognized parameter
My /etc/opendkim.conf is generated and looks like:
docker-compose.yml file is like this:
I have replaced my actual domain with mydomain.com
Main issue here is that my email don't have DKIM signature.
I have tested it via https://dkimvalidator.com/ and results is: This message does not contain a DKIM Signature
What am I missing here?