Opendkim 无法在 CentOS 7 上启动（连接到 Milter 服务 inet：localhost：8891：连接被拒绝）

自从 OpenDKIM 更新不久前崩溃以来，我遇到了 OpenDKIM 无法在我的 CentOS 7（带有 Postfix）服务器上启动的问题。

我尝试了以下方法：

service opendkim start

然后它说：

Job for opendkim.service failed because the control process exited with error code. See "systemctl status opendkim.service" and "journalctl -xe" for details.

然后：

systemctl status opendkim.service

它说：

    ● opendkim.service - DomainKeys Identified Mail (DKIM) Milter
       Loaded: loaded (/usr/lib/systemd/system/opendkim.service; enabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since Mon 2018-01-29 16:44:13 CET; 3min 40s ago
         Docs: man:opendkim(8)
               man:opendkim.conf(5)
               man:opendkim-genkey(8)
               man:opendkim-genzone(8)
               man:opendkim-testadsp(8)
               man:opendkim-testkey
               http://www.opendkim.org/docs.html
      Process: 14228 ExecStart=/usr/sbin/opendkim $OPTIONS (code=exited, status=127)

    systemd[1]: Starting DomainKeys Identified Mail (DKIM) Milter...
    systemd[1]: opendkim.service: control process exited, code=exited status=127
    systemd[1]: Failed to start DomainKeys Identified Mail (DKIM) Milter.
    systemd[1]: Unit opendkim.service entered failed state.
    systemd[1]: opendkim.service failed.

然后我尝试过：

journalctl -xe

这和（/var/log/maillog）给出了相关的错误：

postfix/smtpd[32230]: warning: connect to Milter service inet:localhost:8891: Connection refused

配置 OpenDKIM（/etc/opendkim.conf）：

##  Create a socket through which your MTA can communicate.
## Socket       inet:8891@localhost
Socket inet:[email protected]

整个 OpenDKIM 配置文件（/etc/opendkim.conf）：

## BASIC OPENDKIM CONFIGURATION FILE
## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more

## BEFORE running OpenDKIM you must:

## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
## - generate keys for your domain (if signing)
## - edit your DNS records to publish your public keys (if signing)

## See /usr/share/doc/opendkim/INSTALL for detailed instructions.

## DEPRECATED CONFIGURATION OPTIONS
##
## The following configuration options are no longer valid.  They should be
## removed from your existing configuration file to prevent potential issues.
## Failure to do so may result in opendkim being unable to start.
##
## Removed in 2.10.0:
##   AddAllSignatureResults
##   ADSPAction
##   ADSPNoSuchDomain
##   BogusPolicy
##   DisableADSP
##   LDAPSoftStart
##   LocalADSP
##   NoDiscardableMailTo
##   On-PolicyError
##   SendADSPReports
##   UnprotectedPolicy

## CONFIGURATION OPTIONS

##  Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid

##  Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
##  Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
##  messages.
Mode    sv

##  Log activity to the system log.
Syslog  yes

##  Log additional entries indicating successful signing or verification of messages.
SyslogSuccess   yes

##  If logging is enabled, include detailed logging about why or why not a message was
##  signed or verified. This causes an increase in the amount of log data generated
##  for each message, so set this to No (or comment it out) if it gets too noisy.
LogWhy  yes

##  Attempt to become the specified user before starting operations.
UserID  opendkim:opendkim

##  Create a socket through which your MTA can communicate.
## Socket       inet:8891@localhost
Socket inet:[email protected]

##  Required to use local socket with MTAs that access the socket as a non-
##  privileged user (e.g. Postfix)
Umask   002

##  This specifies a text file in which to store DKIM transaction statistics.

##   On-PolicyError
##   SendADSPReports
##   UnprotectedPolicy

## CONFIGURATION OPTIONS

##  Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid

##  Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
##  Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
##  messages.
Mode    sv

##  Log activity to the system log.
Syslog  yes

##  Log additional entries indicating successful signing or verification of messages.
SyslogSuccess   yes

##  If logging is enabled, include detailed logging about why or why not a message was
##  signed or verified. This causes an increase in the amount of log data generated
##  for each message, so set this to No (or comment it out) if it gets too noisy.
LogWhy  yes

##  Attempt to become the specified user before starting operations.
UserID  opendkim:opendkim

##  Create a socket through which your MTA can communicate.
## Socket       inet:8891@localhost
Socket inet:[email protected]

##  Required to use local socket with MTAs that access the socket as a non-
##  privileged user (e.g. Postfix)
Umask   002

##  This specifies a text file in which to store DKIM transaction statistics.
##  OpenDKIM must be manually compiled with --enable-stats to enable this feature.
# Statistics    /var/spool/opendkim/stats.dat

##  Specifies whether or not the filter should generate report mail back
##  to senders when verification fails and an address for such a purpose
##  is provided. See opendkim.conf(5) for details.
SendReports     yes

##  Specifies the sending address to be used on From: headers of outgoing
##  failure reports.  By default, the e-mail address of the user executing
##  the filter is used (executing_user@hostname).
# ReportAddress "Example.com Postmaster" <[email protected]>

##  Add a DKIM-Filter header field to messages passing through this filter
##  to identify messages it has processed.
SoftwareHeader  yes

## SIGNING OPTIONS

##  Selects the canonicalization method(s) to be used when signing messages.
Canonicalization        relaxed/simple

##  Domain(s) whose mail should be signed by this filter. Mail from other domains will
##  be verified rather than being signed. Uncomment and use your domain name.
##  This parameter is not required if a SigningTable is in use.

##  Required to use local socket with MTAs that access the socket as a non-
##  privileged user (e.g. Postfix)
Umask   002

##  This specifies a text file in which to store DKIM transaction statistics.
##  OpenDKIM must be manually compiled with --enable-stats to enable this feature.
# Statistics    /var/spool/opendkim/stats.dat

##  Specifies whether or not the filter should generate report mail back
##  to senders when verification fails and an address for such a purpose
##  is provided. See opendkim.conf(5) for details.
SendReports     yes

##  Specifies the sending address to be used on From: headers of outgoing
##  failure reports.  By default, the e-mail address of the user executing
##  the filter is used (executing_user@hostname).
# ReportAddress "Example.com Postmaster" <[email protected]>

##  Add a DKIM-Filter header field to messages passing through this filter
##  to identify messages it has processed.
SoftwareHeader  yes

## SIGNING OPTIONS

##  Selects the canonicalization method(s) to be used when signing messages.
Canonicalization        relaxed/simple

##  Domain(s) whose mail should be signed by this filter. Mail from other domains will
##  be verified rather than being signed. Uncomment and use your domain name.
##  This parameter is not required if a SigningTable is in use.

##  Defines the name of the selector to be used when signing messages.
Selector        default

##  Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits  1024

##  Gives the location of a private key to be used for signing ALL messages. This
##  directive is ignored if KeyTable is enabled.

##  Gives the location of a file mapping key names to signing keys. In simple terms,
##  this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
##  directive in the configuration file. Requires SigningTable be enabled.
KeyTable        /etc/opendkim/KeyTable

##  Defines a table used to select one or more signatures to apply to a message based
##  on the address found in the From: header field. In simple terms, this tells
##  OpenDKIM how to use your keys. Requires KeyTable be enabled.
SigningTable    refile:/etc/opendkim/SigningTable

##  Identifies a set of "external" hosts that may send mail through the server as one
##  of the signing domains without credentials as such.
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts

##  Identifies a set "internal" hosts whose mail should be signed rather than verified.
InternalHosts   refile:/etc/opendkim/TrustedHosts

##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names
##  whose mail should be neither signed nor verified by this filter.  See man
##  page for file format.
# PeerList      X.X.X.X

##  Always oversign From (sign using actual From and a null From to prevent
Selector        default

##  Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits  1024

##  Gives the location of a private key to be used for signing ALL messages. This
##  directive is ignored if KeyTable is enabled.

##  Gives the location of a file mapping key names to signing keys. In simple terms,
##  this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
##  directive in the configuration file. Requires SigningTable be enabled.
KeyTable        /etc/opendkim/KeyTable

##  Defines a table used to select one or more signatures to apply to a message based
##  on the address found in the From: header field. In simple terms, this tells
##  OpenDKIM how to use your keys. Requires KeyTable be enabled.
SigningTable    refile:/etc/opendkim/SigningTable

##  Identifies a set of "external" hosts that may send mail through the server as one
##  of the signing domains without credentials as such.
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts

##  Identifies a set "internal" hosts whose mail should be signed rather than verified.
InternalHosts   refile:/etc/opendkim/TrustedHosts

##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names
##  whose mail should be neither signed nor verified by this filter.  See man
##  page for file format.
# PeerList      X.X.X.X

##  Always oversign From (sign using actual From and a null From to prevent
##  malicious signatures header fields (From and/or others) between the signer
##  and the verifier.  From is oversigned by default in the Fedora package
##  because it is often the identity key used by reputation systems and thus
##  somewhat security sensitive.
OversignHeaders From

SignatureAlgorithm      rsa-sha256

这是 Postfix 配置文件 (/etc/postfix/main.cf) 中的 OpenDKIM 部分：

## OpenDKIM config :)
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

这是我发送的测试邮件的邮件日志（zgrep[电子邮件保护]/var/log/maillog* ):

/var/log/maillog:Feb  4 11:28:51 vps2 postfix/smtpd[14598]: 134D5B6BE79: client=vps2.brandsomehosting.nl[::1], sasl_method=DIGEST-MD5, [email protected]
/var/log/maillog:Feb  4 11:28:51 vps2 postfix/qmgr[31089]: 134D5B6BE79: from=<[email protected]>, size=1374, nrcpt=1 (queue active)