Home / server / Questions / 847138
Accepted
Chazy Chaz
Asked: 2017-04-29 04:45:28 +0800 CST

postfix: milter-reject: END-OF-MESSAGE from ...: 4.7.1 Service unavailable (opendkim)

  • 772

I configured OpenDkim to work with postfix and I'm getting the following error when I try to send mail out:

postfix/cleanup[11542]: 40F271A291A: milter-reject: END-OF-MESSAGE from ***[***]: 4.7.1 Service unavailable - try again later; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.10]>

I've configured opendkim to use a unix socket, and it's working:

[chazy@mail ~]$ sudo netstat -nalp | grep dkim
unix  2      [ ACC ]     STREAM     LISTENING     144135   11267/opendkim       /run/opendkim/opendkim.sock
unix  3      [ ]         STREAM     CONNECTED     147626   11267/opendkim       /run/opendkim/opendkim.sock
unix  2      [ ]         DGRAM                    144137   11267/opendkim

Opendkim is started by it's own user, as suggested by the Arch wiki (as well as the other security recommendations). The folders are also owned by opendkim:mail.

I'm using the same selector and signing key for all domains, is that a problem?

The postfix configuration is as follows:

# DKIM
milter_default_action = accept
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock

No anti-spam service installed for the moment, just a basic postfix/dovecot/opendkim configuration to test the server.

Opendkim config:

# /etc/opendkim/opendkim.conf

BaseDirectory           /var/lib/opendkim
Canonicalization        relaxed/simple
Domain                  domain1.com domain2.com
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyFile                 /etc/opendkim/201704.private
KeyTable                refile:/etc/opendkim/KeyTable
Selector                201704
SigningTable            refile:/etc/opendkim/SigningTable
Socket                  local:/run/opendkim/opendkim.sock
Syslog                  Yes
TemporaryDirectory      /run/opendkim
UMask                   002
UserID                  opendkim:mail

TrustedHosts config:

# /etc/opendkim/TrustedHosts

# Trusted Hosts List
127.0.0.1
::1
x.x.x.x # Server IP
mail.maindomain.com

# Domains
maindomain.com
domain2.com
postfix

4 Answers

  1. Best Answer

    The problem, in my case, was that the signing key file had root owner, so doing:

    sudo chown opendkim:mail /etc/opendkim/selector.private

    Fixed the problem.

    If this is not your problem, don't forget to take a look at the journal, for both! postfix and opendkim (i forgot to lookup opendkim and there it was the error):

    journalctl --follow --unit postfix.service --unit opendkim.service
    • 7

  2. Try and see if removing the "*@" from your the file you use as your signing table works. This is what was causing it for me, even though I had

    SigningTable      refile:<directory to signing table file>

    in my opendkim.conf.

    • 1

  3. In my case, the outgoing message was simply too big.

    After fixing the issue, I got:

    Sep 24 20:05:20 va1my postfix/smtp[23682]: C553B48F30: to=<XXX>, relay=XXXXX:25, delay=2979299, delays=2979298/0.01/0.13/0.72, dsn=5.2.3, status=bounced (host XXXXXX said: 552-5.2.3 Your message exceeded message size limits. Please visit 552-5.2.3  XXXX  to view our size 552 5.2.3 guidelines.  (in reply to end of DATA command))

    To fix it, I added to /etc/opendkim.conf:

    MaximumHeaders 0

    and restarted opendkim service opendkim restart (or systemctl restart opendkim).

    Setting a limit of 256k did not help, because the header was bigger, so I set 0 which disables the limit. I could comment the line again as the root cause is gone.

    Sidenote, the real cause

    The headers were likely too big because of having piped the output of a log to sendmail without adding a header.

    I achieved that like this and did not realize this mail got stuck:

    grep FILTER FILE | sendmail [email protected]

    To properly script using "sendmail", I did something as below :

    #!/bin/bash
# TMP_FILE and SUBJECT are set somewhere in the script.

# Prepend the $SUBJECT to the script output sent by mail.

  ( echo "Subject: $SUBJECT" \
    && cat $TMP_FILE \
  ) | \
  /usr/sbin/sendmail $1
    • 0

  4. Problem:

    There's yet another thingy that will cause this error which I just discovered to my great pain:

    BaseDirectory          /run/opendkim

    You'd think that you're pointing opendkim to where the PID lives...

    Solution:

    #BaseDirectory          /run/opendkim

    This is what the directive actually does and why the service was rendered "milter-reject: END-OF-MESSAGE from ...: 4.7.1 Service unavailable"

    BaseDirectory (string)

    If set, instructs the filter to change to the specified directory using chdir(2) before doing anything else. This means any files referenced elsewhere in the configuration file can be specified relative to this directory. It’s also useful for arranging that any crash dumps will be saved to a specific location.

    REF: http://www.opendkim.org/opendkim.conf.5.html

    As soon as I commented it out, everything started to work.

    This was a default value I was using and saw other specimen configs using this value so initially didn't give it weight and pursued the solutions which related to incorrect permissions.

    Ensure you have a correct value for this directive or you will spend hours chasing your tail. The logging isn't helpful to say the least.

    • 0