OpenDKIM

Background
Using a local socket to communicate securely with an MTA requires some subtle configuration. We have four security goals,


 * 1) Allow OpenDKIM to read your DKIM signing keys.
 * 2) Allow your MTA to read and write to a shared socket file.
 * 3) Do not allow the MTA to read your DKIM signing keys.
 * 4) Don't allow anyone other than root to modify the signing keys.

In recent versions of, the opendkim daemon runs as the opendkim user and group. Your signing keys should be,


 * 1) Located under
 * 2) Owned by root, with group opendkim
 * 3) Have mode 750

Taken together, these imply that the opendkim group (including the daemon) can read your DKIM signing keys, but not write to them. The problem of the socket is now, essentially: how do you share the socket file between the opendkim user and the MTA, without allowing the MTA to read the opendkim group's files? The usual approach here would be to add the MTA to the opendkim group, and then allow that group to write to the socket file. However, doing so would allow the MTA to read your DKIM signing keys in this case, and that violates one of our security goals.

Solution
The solution to this problem is to create a new, dedicated group that us used only to control access to the socket. For example, you might


 * 1) Create a new dkimsocket group.
 * 2) Add the opendkim user to the dkimsocket group.
 * 3) Add your MTA to the dkimsocket group.
 * 4) Change the umask in {{Path|/etc/opendkim/opendkim.conf} to allow group-write.

This almost does what we want, except for one critical pitfall: the socket gets created by the opendkim user, and as a result, it gets created with that user's primary group, opendkim. Since the socket's group isn't dkimsocket, our trick has failed! However, all is not lost: we can change the primary group of the opendkim user to dkimsocket, after which the socket will be created with the correct group. With this one crucial modification, everything works as desired.

Example
Here we give a step-by-step example of sharing a local socket with Postfix, running as the postfix user.

First, edit your configuration file to specify the name of a local socket. On Gentoo, the local socket should be located under, because the permissions on that directory are set correctly for you at boot time. With OpenRC, you should edit and comment-out the inet socket line in favor of the local socket line,

With systemd, you would make the changes in instead,

Next, create the dedicated group that will control access to the socket, and add the postfix user to it:

Next we will switch the primary group of the opendkim user to dkimsocket, and then append the opendkim group back:

Finally, we must update the OpenDKIM configuration so that the socket gets created with group-writable permissions:

With that, we are ready to start OpenDKIM.