Upgrading to Debian Stretch with dovecot, postfix & opendkim

Debian Stretch is about to be released. I’m already upgrading some of my systems, and want to document a few issues I encountered after upgrading my mail server from Debian Jessie to Stretch.

 

Dovecot forgot what’s SSLv2

Before the upgrade, dovecot was configured to reject login attempts with SSLv2 & SSLv3. The corresponding line in /etc/dovecot/dovecot.conf looked like this:

ssl_protocols = !SSLv3 !SSLv2

After upgrading, logging into the mail server failed. Looking at the syslogs

dovecot: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'

With the upgrade to Stretch and openssl 1.1.0, support vor SSLv2 was dropped entirely. Dovecot simply doesn’t recognize the argument anymore. Editing dovecot.conf helped.

ssl_protocols = !SSLv3

opendkim using file based sockets (Update 2017-10-13)

UPDATE – previous releases of opendkim on Stretch (v2.11.0) were affected by a bug, ignoring it’s own config file. See the Debian bug report.

The correct way to (re)configure the systemd daemon is to edit the default conf and regenerate the systemd config.

vi /etc/default/opendkim
# listen on loopback on port 12301:
SOCKET=inet:12301@localhost
/lib/opendkim/opendkim.service.generate
systemctl daemon-reload; systemctl restart opendkim

Tell postfix to use the TCP socket again, if nessecary.

vi /etc/postfix/main.cf
# DKIM config
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
systemctl restart postfix

This should do it.

——————————————————–

Before the upgrade, opendkim (v2.9.2) was configured as an initd service using loopback to connect to postfix.

/etc/default/opendkim

SOCKET="inet:12301@localhost" # listen on loopback on port 12301

/etc/postfix/main.cf

# DKIM config
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
root@host:~# systemctl status opendkim
opendkim.service - LSB: Start the OpenDKIM service
   Loaded: loaded (/etc/init.d/opendkim)
   Active: active (running) since Mi 2017-05-31 15:23:34 CEST; 6 days ago
  Process: 715 ExecStart=/etc/init.d/opendkim start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/opendkim.service
           ├─791 /usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid
           └─796 /usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid

During the system upgrade, opendkim daemon was reconfigured as a native systemd daemon, which meant /etc/default/opendkim and /etc/init.d/opendkim became obsolete, even though I was asked to install the new package maintainers version of /etc/default/opendkim.

Now the opendkim (v2.11.0) systemd daemon looked like this:

opendkim.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter
   Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/opendkim.service.d
           └─override.conf
   Active: active (running) since Wed 2017-06-07 13:10:15 CEST; 23s ago
 Main PID: 4806 (opendkim)
    Tasks: 7 (limit: 4915)
   CGroup: /system.slice/opendkim.service
           ├─4806 /usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock
           └─4807 /usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock

I tried editing /etc/postfix/main.cf & adding the postfix user to the opendkim group to reflect the changes:

# DKIM config
milter_protocol = 2
milter_default_action = accept
smtpd_milters = local:/var/run/opendkim/opendkim.sock
non_smtpd_milters = local:/var/run/opendkim/opendkim.sock
root@host:~# adduser postfix opendkim

Restarting opendkim & postfix, the connection still failed to work.

postfix/smtpd[4451]: warning: connect to Milter service local:/var/run/opendkim/opendkim.sock: No such file or directory

Some research revealed that postfix does chroot its process to /var/spool/postfix (didn’t know that). To reflect this, I created new subdirectories and edited the systemd daemon.

root@host:~# mkdir -p /var/spool/postfix/var/run/opendkim
root@host:~# chown -R opendkim:opendkim /var/spool/postfix/var
root@host:~# systemctl edit opendkim
[Service]
ExecStart=
ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p local:/var/spool/postfix/var/run/opendkim/opendkim.sock

Note that the double ExecStart isn’t a typo.

After restarting all affected services, my sent mails were getting a valid DKIM signature again.

opendkim[11357]: OpenDKIM Filter v2.11.0 starting (args: -P /var/run/opendkim/opendkim.pid -p local:/var/spool/postfix/var/run/opendkim/opendkim.sock)

9 Comments

  • hazza

    2017-06-19

    This is exactly what I was looking for! Thank you very much!

    Reply
  • Ronnie T

    2017-07-06

    Thanks a lot for the helpful guide Jan. I’d like to chime in a few observations

    Instead of editing the opendkim service file directly, you can use the /lib/opendkim/opendkim.service.generate script to generate the new opendkim service file. The script will read the /etc/default/opendkim file and override the default service values for you.
    You could also set the GROUP in /etc/defaul/opendkim to postfix, after which you wouldn’t need to add the user postfix to the group opendkim.

    Reply
    • me

      2017-07-07

      Hi Ronnie, thanks for pointing this out. I was not aware little helpers like that exist. With the knowledge I can see why Debian 9 with systemd offers a new version of /etc/default/opendkim.

      Reply
  • Mahboob Butt

    2017-07-08

    The best post all weack! Thanks!

    Reply
  • Giovanni

    2017-07-31

    You can do a complete tutorial for debian 9 on postfix, dovecot, opendkim and clamav and spammiss. Help me a lot, your article is going great.

    Reply
  • david

    2017-09-14

    Hei, could you help me on this?

    Sep 14 16:44:41 davidcrx systemd[1]: opendkim.service: PID file /var/run/opendkim/opendkim.pid not readable (yet?) after start: No such file or directory

    I don’t know how to solve this problem… :/

    Reply
  • Manu

    2017-09-15

    Hi Jan,

    It seems the issue with OpenDKIM is a bug in Debian (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864162), in short, configuration files are ignored ! And they should not be.

    You solution works, however it’s supposed to still be possible to use inet (and hence avoid the groups and permissions hassle). The bugfix is underway.

    As for “My site does not use external resources or hidden tracking.”, I really like and respect that, however I must point out that you are using Google for fonts… (I trust you enough to comment and leave my email).
    : ]

    Cheers,

    Reply
    • Jan S

      2017-10-13

      Hi Manu,

      you’re right about the bug, I’ve updated opendkim to 2.11.0~alpha-10+deb9u1 on Stretch and reconfigured the daemon to use the previous TCP socket. See my post updates above.

      Thanks for the hint with Google fonts. I’ve manually deactivated this in my WP instance, but it seems that it’s coming back after updates. I’ll look into that.
      EDIT – I set up a cronjob to disable Google fonts again after WordPress updates.
      */30 * * * * cd /var/www-blog/wp-content/themes/shaped-blog && sed -i '/googleapis.com/d' style.css

      Reply
  • Max

    2017-11-22

    Hey,

    looks like a bug fix was released. At least in the update I installed today the systemd unit uses the -x option to load /etc/opendkim.conf.
    Thanks for the great post !

    Reply

Leave a Reply