| View previous topic :: View next topic |
| Author |
Message |
jhon987
Apprentice
Joined: 18 Nov 2013
Posts: 297
|
 Posted: Tue Jul 23, 2019 9:16 am Post subject: /run/opendkim owned by opendkim, milter can't create socket |
 |
|
Hi,
Whenever I restart my VPS, /run/opnedkim directory is automatically owned by opendkim user and the result is:
OpenDKIM Filter: Unable to bind to port local:/var/run/opendkim/opendkim.sock: Permission denied
the socket simply cannot be created as the UserID in opendkim.conf = milter.
Only when I | Code: | | chown milter:milter /run/opnedkim |
only then can the socket be created and opendkim does not crash.
I have followed this guide: https://wiki.gentoo.org/wiki/OpenDKIM
and have tried adding milter to opendkim as well as dkimsocket groups but that doesn't change anything:
| Code: | # groups milter
opendkim dkimsocket milter
# rc-service opendkim restart
opendkim | * Stopping opendkim ...
opendkim | * start-stop-daemon: no matching processes found [ ok ]
opendkim | * Starting opendkim ...
rc-service opendkim status
* status: crashed |
Only when I manually chown /run/opendkim folder to milter, only then opendkim doesn't crash.
I'm looking for a solution that will work throughout reboots, without having to chown manually (nor through crontab)...? |
|
| Back to top |
|
 |
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Tue Jul 23, 2019 2:59 pm Post subject: |
|
|
| Create an override for /usr/lib/tmpfiles.d/opendkim.conf in /etc/tmpfiles.d |
|
| Back to top |
|
|
jhon987
Apprentice
Joined: 18 Nov 2013
Posts: 297
|
| Posted: Tue Jul 23, 2019 3:50 pm Post subject: |
|
|
| Ant P. wrote: | | Create an override for /usr/lib/tmpfiles.d/opendkim.conf in /etc/tmpfiles.d |
thanks!
I should note it's not the safest thing as according to the guide I referenced before both milter and opendkim should access the socket through a 3rd group (dkimsocket for instance) - but that doesn't work unfortunately... |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
|
| Back to top |
|
|
jhon987
Apprentice
Joined: 18 Nov 2013
Posts: 297
|
| Posted: Wed Jul 24, 2019 6:24 am Post subject: |
|
|
| UberLord wrote: | I had this problem on my mail relay after I stupidly upgraded it to a Debian version with systemd opendkim/dmarc, etc.
I gave up, and replaced my email filtering stack with rspamd which does it all and without the overhead of perl or seperate milters.
Not looked back since, highly recommend it. |
thanks for the experienced advice, I'll consider it |
|
| Back to top |
|
|
jhon987
Apprentice
Joined: 18 Nov 2013
Posts: 297
|
| Posted: Tue Jul 30, 2019 4:41 am Post subject: |
|
|
| UberLord wrote: | I had this problem ...
I gave up, and replaced my email filtering stack with rspamd which does it all and without the overhead of perl or seperate milters.
Not looked back since, highly recommend it. |
Hey @UberLord, do you mind if I'll ask you a few questions?
When you say you replaced your email filtering stack:
first, are you using postfix?
if so, do you mean rspam replaces also amavis and clam? (because i haven't managed to detach postfix from both of these services - whenever i re/start postfix it automatically launches both)
lastly, i followed the rspamd quickstart guide, setting it up with dovecot and redis, i use unix sockets wherever possible but i still haven't managed to set it up correctly I guess, because I still have a few issues:
when i send / receive mails these what i see in rspamd log:
| Code: | (normal) <766bd7>; task; rspamd_worker_body_handler: cannot handle request: invalid command
(rspamd_proxy) rspamd_http_decrypt_message: cannot verify encrypted message, first bytes of the input: 7b226572726f72223a22696e76616c696420636f6d6d616e64222c226572726f725f646f6d61696e223a2270726f746f636f6c2d6572726f72227d
(rspamd_proxy) <3ee727>; proxy; proxy_backend_master_error_handler: abnormally closing connection from backend: /var/run/rspamd/rspamd-normal.sock, error: HTTP parser error: the on_message_complete callback failed, retries left: 5
(rspamd_proxy) <3ee727>; proxy; proxy_backend_master_error_handler: retry connection to: /var/run/rspamd/rspamd-normal.sock retries left: 4 |
have no idea what invalid command does it refers to...
and another issue, if you happen to know, rspamd webUI is referring to the same address:port as the worker-controller, it seems i can only access it if the worker-controller is binded to a TCP socket (as unix sockets are only possible to access locally), is there a way make worker-controller still bind to to unix socket (which performs faster than TCP, AFAIK) and still use webUI? |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
| Posted: Tue Jul 30, 2019 7:45 am Post subject: |
|
|
| jhon987 wrote: | | UberLord wrote: | I had this problem ...
I gave up, and replaced my email filtering stack with rspamd which does it all and without the overhead of perl or seperate milters.
Not looked back since, highly recommend it. |
Hey @UberLord, do you mind if I'll ask you a few questions?
When you say you replaced your email filtering stack:
first, are you using postfix?
|
Sure and yes
| Quote: | | if so, do you mean rspam replaces also amavis and clam? (because i haven't managed to detach postfix from both of these services - whenever i re/start postfix it automatically launches both) |
amavis is just a middle man between postfix and a filter (like clam).
rspamd does NOT replace clam - it's not a virus checker.
That being said, I don't run a virus checker on my mail server as virus checkers run on the machines I generally use and viruses would target - ie windows.
Postfix doesn't actually start anything external (amavis, clam) itself - but the init.d/postfix service might! Check there.
I don't use Gentoo these days so can't help much there really.
| Quote: |
lastly, i followed the rspamd quickstart guide, setting it up with dovecot and redis, i use unix sockets wherever possible but i still haven't managed to set it up correctly I guess, because I still have a few issues:
when i send / receive mails these what i see in rspamd log:
| Code: | (normal) <766bd7>; task; rspamd_worker_body_handler: cannot handle request: invalid command
(rspamd_proxy) rspamd_http_decrypt_message: cannot verify encrypted message, first bytes of the input: 7b226572726f72223a22696e76616c696420636f6d6d616e64222c226572726f725f646f6d61696e223a2270726f746f636f6c2d6572726f72227d
(rspamd_proxy) <3ee727>; proxy; proxy_backend_master_error_handler: abnormally closing connection from backend: /var/run/rspamd/rspamd-normal.sock, error: HTTP parser error: the on_message_complete callback failed, retries left: 5
(rspamd_proxy) <3ee727>; proxy; proxy_backend_master_error_handler: retry connection to: /var/run/rspamd/rspamd-normal.sock retries left: 4 |
have no idea what invalid command does it refers to...
and another issue, if you happen to know, rspamd webUI is referring to the same address:port as the worker-controller, it seems i can only access it if the worker-controller is binded to a TCP socket (as unix sockets are only possible to access locally), is there a way make worker-controller still bind to to unix socket (which performs faster than TCP, AFAIK) and still use webUI? |
I setup rspamd without setting the controller password - the WebUI is locked down to my local IP range AND is http password protected.
Also using sockets, so not exposed on the wire either (other than the WebUI) so again, no need to setup a password in rspamd.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool |
|
| Back to top |
|
|
jhon987
Apprentice
Joined: 18 Nov 2013
Posts: 297
|
| Posted: Wed Jul 31, 2019 7:05 pm Post subject: |
|
|
| UberLord wrote: | | jhon987 wrote: | | UberLord wrote: | I had this problem ...
I gave up, and replaced my email filtering stack with rspamd which does it all and without the overhead of perl or seperate milters.
Not looked back since, highly recommend it. |
Hey @UberLord, do you mind if I'll ask you a few questions?
When you say you replaced your email filtering stack:
first, are you using postfix?
|
Sure and yes
| Quote: | | if so, do you mean rspam replaces also amavis and clam? (because i haven't managed to detach postfix from both of these services - whenever i re/start postfix it automatically launches both) |
amavis is just a middle man between postfix and a filter (like clam).
rspamd does NOT replace clam - it's not a virus checker.
That being said, I don't run a virus checker on my mail server as virus checkers run on the machines I generally use and viruses would target - ie windows.
Postfix doesn't actually start anything external (amavis, clam) itself - but the init.d/postfix service might! Check there.
I don't use Gentoo these days so can't help much there really.
| Quote: |
lastly, i followed the rspamd quickstart guide, setting it up with dovecot and redis, i use unix sockets wherever possible but i still haven't managed to set it up correctly I guess, because I still have a few issues:
when i send / receive mails these what i see in rspamd log:
| Code: | (normal) <766bd7>; task; rspamd_worker_body_handler: cannot handle request: invalid command
(rspamd_proxy) rspamd_http_decrypt_message: cannot verify encrypted message, first bytes of the input: 7b226572726f72223a22696e76616c696420636f6d6d616e64222c226572726f725f646f6d61696e223a2270726f746f636f6c2d6572726f72227d
(rspamd_proxy) <3ee727>; proxy; proxy_backend_master_error_handler: abnormally closing connection from backend: /var/run/rspamd/rspamd-normal.sock, error: HTTP parser error: the on_message_complete callback failed, retries left: 5
(rspamd_proxy) <3ee727>; proxy; proxy_backend_master_error_handler: retry connection to: /var/run/rspamd/rspamd-normal.sock retries left: 4 |
have no idea what invalid command does it refers to...
and another issue, if you happen to know, rspamd webUI is referring to the same address:port as the worker-controller, it seems i can only access it if the worker-controller is binded to a TCP socket (as unix sockets are only possible to access locally), is there a way make worker-controller still bind to to unix socket (which performs faster than TCP, AFAIK) and still use webUI? |
I setup rspamd without setting the controller password - the WebUI is locked down to my local IP range AND is http password protected.
Also using sockets, so not exposed on the wire either (other than the WebUI) so again, no need to setup a password in rspamd. |
Thanks for taking the time to answer. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
