Sharing a local socket with your MTA
Using a local socket to communicate securely with an MTA requires some subtle configuration. We have four security goals,
- Allow OpenDKIM to read your DKIM signing keys.
- Allow your MTA to read and write to a shared socket file.
- Do not allow the MTA to read your DKIM signing keys.
- Don't allow anyone other than root to modify the signing keys.
In recent versions of mail-filter/opendkim, the opendkim daemon runs as the opendkim user and group. Your signing keys should be,
- Located under /var/lib/opendkim
- Owned by root, with group opendkim
- Have mode 640
Taken together, these imply that the opendkim group (including the daemon) can read your DKIM signing keys, but not write to them. The problem of the socket is now, essentially: how do you share the socket file between the opendkim user and the MTA, without allowing the MTA to read the opendkim group's files? The usual approach here would be to add the MTA to the opendkim group, and then allow that group to write to the socket file. However, doing so would allow the MTA to read your DKIM signing keys in this case, and that violates one of our security goals.
The solution to this problem is to create a new, dedicated group that us used only to control access to the socket. For example, you might
- Create a new dkimsocket group.
- Add the opendkim user to the dkimsocket group.
- Add your MTA to the dkimsocket group.
- Change the umask in /etc/opendkim/opendkim.conf to allow group-write.
This almost does what we want, except for one critical pitfall: the socket gets created by the opendkim user, and as a result, it gets created with that user's primary group, opendkim. Since the socket's group isn't dkimsocket, our trick has failed! However, all is not lost: we can change the primary group of the opendkim user to dkimsocket, after which the socket will be created with the correct group. With this one crucial modification, everything works as desired.
Here we give a step-by-step example of sharing a local socket with Postfix, running as the postfix user.
First, create the dedicated dkimsocket group that will control access to the socket, and add the postfix user to it:
usermod --append --groups dkimsocket postfix
Next we will switch the primary group of the opendkim user to dkimsocket, and then append the opendkim group back:
usermod --gid dkimsocket opendkim
usermod --append --groups opendkim opendkim
Next, edit your /etc/opendkim/opendkim.conf to specify the name of a local socket. On Gentoo, the local socket should be located under /run/opendkim, because the permissions on that directory are set correctly for you at boot time.
#Socket inet:8891@localhost Socket local:/run/opendkim/opendkim.sock
Finally, ensure that the UMask is set correctly in /etc/opendkim/opendkim.conf (the ebuild does this for you) so that the socket gets created with group-writable permissions:
With that, we are ready to start OpenDKIM.