Sharing a local socket with the MTA
Using a local socket to communicate securely with an MTA requires some subtle configuration. The four security goals achieved are:
- Allow OpenDKIM to read the DKIM signing keys.
- Allow the MTA to read and write to a shared socket file.
- Do not allow the MTA to read the DKIM signing keys.
- Don't allow anyone other than root to modify the signing keys.
In recent versions of mail-filter/opendkim, the opendkim daemon runs as the opendkim user and group. The signing keys should be,
- Located under /var/lib/opendkim
- Owned by root, with group opendkim
- Have mode 640
Taken together, these imply that the opendkim group (including the daemon) can read the DKIM signing keys, but not write to them. The problem of the socket is now, essentially: how to share the socket file between the opendkim user and the MTA, without allowing the MTA to read the opendkim group's files? The usual approach here would be to add the MTA to the opendkim group, and then allow that group to write to the socket file. However, doing so would allow the MTA to read the DKIM signing keys in this case, and that violates one of our security goals.
The solution to this problem is to create a new, dedicated group that is used only to control access to the socket. For example, you might
- Create a new dkimsocket group.
- Add the opendkim user to the dkimsocket group.
- Add the MTA to the dkimsocket group.
- Change the umask in /etc/opendkim/opendkim.conf to allow group-write.
This almost does what we want, except for one critical pitfall: the socket gets created by the opendkim user, and as a result, it gets created with that user's primary group, opendkim. Since the socket's group isn't dkimsocket, our trick has failed! However, all is not lost: we can change the primary group of the opendkim user to dkimsocket, after which the socket will be created with the correct group. With this one crucial modification, everything works as desired.
Below is a step-by-step example of sharing a local socket with Postfix, running as the postfix user.
First, edit /etc/opendkim/opendkim.conf to specify the name of a local socket. On Gentoo, the local socket should be located under /run/opendkim, because the permissions on that directory are set correctly at boot time.
#Socket inet:8891@localhost Socket local:/run/opendkim/opendkim.sock
Then, ensure that the UMask is set correctly in /etc/opendkim/opendkim.conf (the ebuild does this on install) so that the socket gets created with group-writable permissions:
Finally, create and configure the dedicated dkimsocket group. GLEP 81 changed the way that users and groups are managed on Gentoo.
The new way
In a local overlay, create an ebuild for the dkimsocket group:
# Copyright 1999-2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 inherit acct-group DESCRIPTION="Group used to share the OpenDKIM socket" # If you want this to persist across multiple machines, pick a real number! ACCT_GROUP_ID="-1"
Then, create newer revisions of the postfix and opendkim user ebuilds that make use of the new group:
# Copyright 2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 inherit acct-user DESCRIPTION="user for postfix daemon" ACCT_USER_ID=207 ACCT_USER_GROUPS=( postfix mail dkimsocket ) acct-user_add_deps
# Copyright 2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 inherit acct-user DESCRIPTION="User for OpenDKIM" ACCT_USER_ID=334 # dkimsocket goes first, to make it the primary group ACCT_USER_GROUPS=( dkimsocket opendkim ) acct-user_add_deps
Now those two packages will take precedence over the ones in ::gentoo, ensuring that the users on the system are a member of dkimsocket.
The old way
Create the dkimsocket that will control access to the socket, and add the postfix user to it:
usermod --append --groups dkimsocket postfix
Next, switch the primary group of the opendkim user to dkimsocket, and then append the opendkim group back:
usermod --gid dkimsocket opendkim
usermod --append --groups opendkim opendkim
With that, OpenDKIM is ready to start.