Debian 8 32bit Virtualmin installed through virtualmin install script
Webmin 1.750
VPS 512MB with digitalocean

I am updating this problem at the end of the today.

It seems that I am able to send email from only one of my domains. Here is the log when an email gets sent
Jun 4 17:26:43 stratus postfix/master[2026]: terminating on signal 15
Jun 4 17:26:43 stratus postfix/master[10535]: daemon started – version 2.11.3, configuration /etc/postfix
Jun 4 17:27:05 stratus postfix/smtpd[10539]: warning: hostname 197-89-32-182.dsl.mweb.co.za does not resolve to address 197.89.32.182: Name or service not known
Jun 4 17:27:05 stratus postfix/smtpd[10539]: connect from unknown[197.89.32.182]
Jun 4 17:27:08 stratus postfix/trivial-rewrite[10543]: warning: do not list domain kusikiliza.com in BOTH mydestination and virtual_alias_domains
Jun 4 17:27:08 stratus postfix/smtpd[10539]: DD11BA0C80: client=unknown[197.89.32.182], sasl_method=PLAIN, sasl_username=daniel@kusikiliza.com
Jun 4 17:27:09 stratus postfix/cleanup[10544]: DD11BA0C80: message-id=55706E48.7050809@kusikiliza.com
Jun 4 17:27:09 stratus postfix/qmgr[10537]: DD11BA0C80: from=daniel@kusikiliza.com, size=590, nrcpt=1 (queue active)
Jun 4 17:27:09 stratus postfix/trivial-rewrite[10543]: warning: do not list domain kusikiliza.com in BOTH mydestination and virtual_alias_domains
Jun 4 17:27:10 stratus postfix/smtpd[10539]: disconnect from unknown[197.89.32.182]
Jun 4 17:27:12 stratus postfix/local[10545]: DD11BA0C80: to=daniel-kusikiliza.com@kusikiliza.com, orig_to=daniel@kusikiliza.com, relay=local, delay=3.5, delays=1.3/0.01/0/2.3, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Jun 4 17:27:12 stratus postfix/qmgr[10537]: DD11BA0C80: removed

Here is a log when the email fails. This is sent from another email address which always fails
Jun 4 17:28:12 stratus postfix/smtpd[10539]: warning: hostname 197-89-32-182.dsl.mweb.co.za does not resolve to address 197.89.32.182: Name or service not known
Jun 4 17:28:12 stratus postfix/smtpd[10539]: connect from unknown[197.89.32.182]
Jun 4 17:28:16 stratus postfix/smtpd[10539]: 55625A0C80: client=unknown[197.89.32.182], sasl_method=PLAIN, sasl_username=jules
Jun 4 17:28:17 stratus postfix/cleanup[10544]: 55625A0C80: message-id=55706E8B.9060808@deepsi.de
Jun 4 17:28:17 stratus postfix/qmgr[10537]: 55625A0C80: from=jules@deepsi.de, size=571, nrcpt=1 (queue active)
Jun 4 17:28:17 stratus postfix/smtp[10568]: 55625A0C80: to=alleyoopster@gmail.com, relay=gmail-smtp-in.l.google.com[173.194.78.27]:25, delay=1.9, delays=1.1/0.01/0.2/0.58, dsn=2.0.0, status=sent (250 2.0.0 OK 1433431698 qn7si7832954wjc.202 - gsmtp)
Jun 4 17:28:17 stratus postfix/qmgr[10537]: 55625A0C80: removed
Jun 4 17:28:18 stratus postfix/smtpd[10539]: disconnect from unknown[197.89.32.182]


/etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

DO NOT EDIT THIS FILE BY HAND – YOUR CHANGES WILL BE OVERWRITTEN

nameserver 127.0.0.1

/etc/postfix/master.cf
#

Postfix master process configuration file. For details on the format

of the file, see the master(5) manual page (command: “man 5 master” or

on-line: http://www.postfix.org/master.5.html).

Do not forget to execute “postfix reload” after editing this file.

==========================================================================

service type private unpriv chroot wakeup maxproc command + args

(yes) (yes) (yes) (never) (100)

==========================================================================

smtp inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
#submission inet n - - - - smtpd

-o syslog_name=postfix/submission

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_reject_unlisted_recipient=no

-o smtpd_client_restrictions=$mua_client_restrictions

-o smtpd_helo_restrictions=$mua_helo_restrictions

-o smtpd_sender_restrictions=$mua_sender_restrictions

-o smtpd_recipient_restrictions=

-o smtpd_relay_restrictions=permit_sasl_authenticated,reject

-o milter_macro_daemon_name=ORIGINATING

smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup unix n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp

-o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache

====================================================================

Interfaces to non-Postfix software. Be sure to examine the manual

pages of the non-Postfix software to find out what options it wants.

Many of the following services use the Postfix pipe(8) delivery

agent. See the pipe(8) man page for information about ${recipient}

and other message envelope options.

====================================================================

maildrop. See the Postfix MAILDROP_README file for details.

Also specify in main.cf: maildrop_destination_recipient_limit=1

maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

====================================================================

Recent Cyrus versions can use the existing “lmtp” master.cf entry.

Specify in cyrus.conf:

lmtp cmd=“lmtpd -a” listen=“localhost:lmtp” proto=tcp4

Specify in main.cf one or more of the following:

mailbox_transport = lmtp:inet:localhost

virtual_transport = lmtp:inet:localhost

====================================================================

Cyrus 2.1.5 (Amos Gouaux)

Also specify in main.cf: cyrus_destination_recipient_limit=1

#cyrus unix - n n - - pipe

user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

====================================================================

Old example of delivery via Cyrus.

#old-cyrus unix - n n - - pipe

flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

====================================================================

See the Postfix UUCP_README file for configuration details.

uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Other external delivery methods.

ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}

submission inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes

stratus postfix[1561]: /usr/sbin/postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_…ictions
Jun 04 14:02:02 stratus postfix[1561]: /usr/sbin/postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
Jun 04 14:02:02 stratus postfix[1561]: /usr/sbin/postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_…ictions

thanks for you help

Howdy,

Hmm, so when attempting to send an email, do you notice anything in Postfix that suggests that Thunderbird connected and tried to authenticate?

Also, are you able to send emails using other desktop-based mail clients – perhaps something like Outlook?

And what about a webmail client such as RoundCube, does that work?

-Eric

Hi andreychek,

thanks for helping out

I have just updated the post with my findings from today. It does not seem to be a client problem, but a problem with certain email addresses. In fact only emails from the main domain are getting delivered. See the beginning of post above for logs of the good send and a failed send.

I am using 2 emails, one from the main domain kusikiliza.com and one from deepsi.de. Deepsi.de is failing to send. I have just noticed that it can send to local email addresses such as to mail@kusikiliza.com, but fails to delivery anything externally. So that looks like the problem now.

Thunderbird is now connecting and able to authenticate with both test emails. I see the same problem when sending from usermin

Dan

Howdy,

In the example that failed, the logs indicate that it did go out, and Gmail labeled the status as “sent”.

Is it possible that the email ended up in a spam folder at Gmail?

-Eric

It is true that I have some now going into spam, but sometimes nothing.

I tried it from another domain desertpursuit.com and it did not go to spam and it was not received. Here is the log from that one (this was using usermin)

Jun 4 18:52:17 stratus postfix/smtpd[13924]: connect from localhost[127.0.0.1]
Jun 4 18:52:17 stratus postfix/smtpd[13924]: 76F7FA0C80: client=localhost[127.0.0.1]
Jun 4 18:52:17 stratus postfix/cleanup[13928]: 76F7FA0C80: message-id=1433436737.13919@desertpursuit.com
Jun 4 18:52:17 stratus postfix/qmgr[13905]: 76F7FA0C80: from=jules@desertpursuit.com, size=662, nrcpt=1 (queue active)
Jun 4 18:52:17 stratus postfix/smtpd[13924]: disconnect from localhost[127.0.0.1]
Jun 4 18:52:18 stratus postfix/smtp[13929]: 76F7FA0C80: to=alleyoopster@gmail.com, relay=gmail-smtp-in.l.google.com[173.194.78.26]:25, delay=0.83, delays=0.05/0.02/0.14/0.61, dsn=2.0.0, status=sent (250 2.0.0 OK 1433436738 d3si8286617wjr.121 - gsmtp)
Jun 4 18:52:18 stratus postfix/qmgr[13905]: 76F7FA0C80: removed


I doubt it is related, but I am also not able to use port 465 SSL for SMTP

EDIT: They just showed up in spam in one account, but disappeared in some other 3 accounts

Is there something I can do about the messages going into spam? Is there a reason some accounts gmail or other get nothing?

From the log i can see you are not using DKIM… to make it clear with gmail/hotmail/outlook (many others) you must have enabled 3 things: DKIM, SPF and rDNS. If your emails are missing one of this three records the chance your emails will finish into spam folder or be automatically deleted is really really high.

For 465 port is easy to check, use telnet and try to connect. If you cant that means firewall is blocking, service is not listen, etc… if you can then the problem must be with your settings in mail server.

Thanks for that, that was a big help.

For some reason 465 was not open in the default firewall, so I added it and that is working now.

I now have installed DKIM and rDNS seems to be working now.

Just trying to work out SPF

This should work:
yourdomain.com. IN TXT “v=spf1 a mx a:hostname.yourdomain.com mx:yourdomain.com ip4:111.111.111.111 ~all”
yourdomain.com. IN SPF “v=spf1 a mx a:hostname.yourdomain.com mx:yourdomain.com ip4:111.111.111.111 ~all”

If you have IPv6 then add after IPv4 - “ip6:your-IPv6-address”.
Personally i have set to “-all” but this is only if you are really sure what are you doing, if not leave as it is.

This is example if you are hosting your mail server, in case you are using external service such GoogleApps then you must change/add info from that service.

DMARC - this is optional but i would suggest you to use it. IMPORTANT: use only once you sort your SPF and DKIM records and i would suggest in this case to set SPF to “-all”.

_dmarc.yourdomain.com. IN TXT “v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:postmaster@yourdomain.com; ruf=mailto:postmaster@yourdomain.com; rf=afrf; pct=100; ri=86400”

Explanation:
p=reject - domain policy - telling to the ISP what to do with emails what fail SPF & DKIM records

sp=reject - subdomain policy - same as for domain but for your subdomain

adkim=s; & aspf=s; - remove first 2-3 days and once you see everything works put it back

rua & ruf - email where you want to receive the reports;
some ISP do not honor both options but usually they are fine with rua;
keep both and leave to ISP to decide what option will use

ri=86400 - reporting interval for 24 hours; no need to put shorter

More details here: http://www.zytrax.com/books/dns/ch9/dmarc.html but you will be fine with example what i posted here.

EDIT: Forgot to say, once you implement DMARC you will start receiving emails from gmail and others with statistics usually as attachment (once per day). So just to tell you now if not you could start to wonder from where and why this emails are coming into your inbox.

Hey, thanks for all that information. I have gone through and set that up.

Working on one domain
I have rDNS, SPF, DKIM and DMARC active now. I have done some tests with http://dkimvalidator.com/ and http://mail-tester.com and they give positive results.

The former reported:
SpamAssassin Score: 0.11
Message is NOT marked as spam
Points breakdown:
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

What I find on http://mxtoolbox.com was:
blacklist desertpursuit.com Blacklisted by SEM FRESH

This looks like new domains are blacklisted and maybe the problem. I am going to try the other domains and see if I get better luck.

Can I do anything about the DKIM not necessarily valid and sig header not valid?

Try to log into Usermin and send one email. Then check the mail log and you should see that DKIM signed that email, e.g. one line should say " … DKIM-Signature field added (s=mail, d=yourdomain.com)". If you are missing this line that means DKIM is not working properly.

Jun 5 09:58:19 stratus postfix/smtpd[16182]: connect from localhost[127.0.0.1]
Jun 5 09:58:19 stratus postfix/smtpd[16182]: AF278A3C15: client=localhost[127.0.0.1]
Jun 5 09:58:19 stratus postfix/cleanup[16185]: AF278A3C15: message-id=1433491099.16177@desertpursuit.com
Jun 5 09:58:19 stratus postfix/smtpd[16182]: disconnect from localhost[127.0.0.1]
Jun 5 09:58:19 stratus postfix/qmgr[22609]: AF278A3C15: from=jules@desertpursuit.com, size=700, nrcpt=1 (queue active)
Jun 5 09:58:20 stratus postfix/smtp[16186]: AF278A3C15: to=alleyoopster@gmail.com, relay=gmail-smtp-in.l.google.com[74.125.71.27]:25, delay=1.2, delays=0.1/0.02/0.46/0.62, dsn=2.0.0, status=sent (250 2.0.0 OK 1433491100 o6si2735274wiy.112 - gsmtp)
Jun 5 09:58:20 stratus postfix/qmgr[22609]: AF278A3C15: removed
Looks like it’s not working

Same thing on another domain that I have set DNS records manually externally
Jun 5 15:16:27 stratus postfix/smtps/smtpd[27659]: connect from unknown[197.83.247.60]
Jun 5 15:16:28 stratus postfix/smtps/smtpd[27659]: 5BF6FA3BA1: client=unknown[197.83.247.60], sasl_method=PLAIN, sasl_username=jules
Jun 5 15:16:28 stratus postfix/cleanup[27663]: 5BF6FA3BA1: message-id=5571A12B.6010009@deepsi.de
Jun 5 15:16:28 stratus postfix/qmgr[22609]: 5BF6FA3BA1: from=jules@deepsi.de, size=608, nrcpt=1 (queue active)
Jun 5 15:16:28 stratus postfix/smtp[27664]: connect to gmail-smtp-in.l.google.com[2a00:1450:400c:c02::1b]:25: Network is unreachable
Jun 5 15:16:29 stratus postfix/smtps/smtpd[27659]: disconnect from unknown[197.83.247.60]
Jun 5 15:16:29 stratus postfix/smtp[27664]: 5BF6FA3BA1: to=alleyoopster@gmail.com, relay=gmail-smtp-in.l.google.com[74.125.71.26]:25, delay=1.3, delays=0.56/0.01/0.15/0.59, dsn=2.0.0, status=sent (250 2.0.0 OK 1433510189 fm3si4068557wic.41 - gsmtp)
Jun 5 15:16:29 stratus postfix/qmgr[22609]: 5BF6FA3BA1: removed

And this in the receiving email header
dkim=temperror (no key for signature) header.i=@deepsi.de

The correct DNS entry is in place that is copied from the DomainKey option page.

Is there a problem in the way Virtualmin sets up DKIM or have I missed something?

What i know is that DKIM is working out of the box if you install over Virtualmin but i didnt like how the options/settings are handled so i went to manually setup everything. What i think the problem could be in postfix not allowing DKIM to sign outgoing emails but there is so many other things what could be wrong.

Check this forum, there was one-two topics in last 2 weeks (more or less) where i help people with similar problem. You could follow same advice what i gave to them and see if will work. But before anything check this link http://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/ and see if you did all necessary steps to setup everything.

Thanks for advice and links. After some fiddling this weekend I got my main domain working. I didn’t have luck (probably me rather than the link) with the link you gave. Found this worked better https://tipstricks.itmatrix.eu/installing-opendkim-in-debian-squeeze/ as it was for Debian.

(EDIT: Got it working with http://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/ now also)

So now I am getting validated through the likes of port25 and seeing passed in the gmail headers when it arrives. Mail log is showing message validation.

I found as soon as I enabled DKIM within Virtualmin, it broke the signing. Putting in a custom key seems to fix this for one of the domains, but I noticed that Virtualmin, while respecting some of the settings in opendkim.conf, other settings and where it places keys are unique to Virtualmin. Trying to troubleshoot then gets much more complicated and I have no control over Virtualmin’s changes.

What I want to do now is use Virtualmin to add the other domains. Is this possible or will I have to always add them manually? It seems that maybe Virtualmin DKIM is broken (at least on Debian 8) my install of Virtualmin was a virgin install and it didn’t work out of the box, so I am wondering if there is a bug here?

Go full manually as Virtualmin is horrendous with DKIM settings, its like missing more than 50% (and i’m generous here) of all options you could have or set inside DKIM. Check inside opendkim.conf for “Mode sv”, “Syslog yes” and “SyslogSuccess yes”. If missing add this values. This should sort why you dont see DKIM in mail logs.

Now if you can send email from other domain but no dkim that means you miss something in dkim settings/keys, if you cant send email at all then you should check postfix.

Either way i would avoid any script to add domains and just set everything manually. Not sure what is specific with Debian and link you posted but one i gave you have much better explanation what to do. You can always take that one and just use Debian specific commands as everything else is pretty much the same.

Thanks Diabolico. Looks like our posts crossed as I had just edited my post to say that I got the stevejenkins post to work. Your right. it is a better post and I must have missed something last time I went through it.

I am curious to know why you wouldn’t use a script. For me it minimised the risk of error, simplifies the process and it is a lot faster. In fact I think the original mistake I made was with the manual addition of a domain name.

So, I know have DKIM working on all domains, but still loosing email going to some providers. It fails going to iCloud and yahoo, but gmail seems a little happier with one of the domains. Not sure what else I can do.

With regards to Virtualmin, I think that email is a big part of the setup and most people, if not all people would want DKIM and I think it’s worth filing a bug for it not working with Debian 8 (I haven’t tried others yet)

Scripts are ok when fully tested and you have huge amount of operations what they could cut down/minimize but if not tested even if works on same OS that doesnt mean it will work for you. For example last time i trusted Wmin to change one single thing in Postfix settings it just blown in my face several hours of fine tuning, no need to say how angry i was. I’m sure for 99% people it worked perfectly but not for me, luckily i had backup.

If you edited your opendkim.conf as i said now you should see in mail log if your emails get signed by DKIM or not. You can always post here your opendkim.conf so someone can check if everything is ok. Aside of DKIM you didnt say why your emails are failing with some providers, again check your logs it should say the reason or check email header once the email is delivered and see what is wrong.

Last but not least, i told you to not use DMARC and “-all” (but “~all”) in SPF if you didnt set everything. DNS records i gave you are really strict/tight and if any problem is present emails will get deleted/marked as spam by most ISP/mail servers because you actually instructed them to do such thing. Great to prevent email abuse but bad if you have any problem with your mail server.

I can understand the frustration with using scripts and GUI to alter configs. They’re a bit of a double edge sword, so goo for some things, but can be the cause of agro for others. Glad you had a backup!

Here are the relevant logs and config files starting with

opendkim.conf
## CONFIGURATION OPTIONS

Specifies the path to the process ID file.

PidFile /var/run/opendkim/opendkim.pid

Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.

Mode sv

Log activity to the system log.

Syslog yes

Log additional entries indicating successful signing or verification of messages.

SyslogSuccess yes

If logging is enabled, include detailed logging about why or why not a message was

signed or verified. This causes a large increase in the amount of log data generated

for each message, so it should be limited to debugging use only.

LogWhy yes

Attempt to become the specified user before starting operations.

UserID opendkim:opendkim

Create a socket through which your MTA can communicate.

Socket inet:8891@127.0.0.1

Required to use local socket with MTAs that access the socket as a non-

privileged user (e.g. Postfix)

Umask 002

This specifies a file in which to store DKIM transaction statistics.

#Statistics /var/spool/opendkim/stats.dat

SIGNING OPTIONS

Selects the canonicalization method(s) to be used when signing messages.

Canonicalization relaxed/simple

Domain(s) whose mail should be signed by this filter. Mail from other domains will

be verified rather than being signed. Uncomment and use your domain name.

This parameter is not required if a SigningTable is in use.

#Domain example.com

Defines the name of the selector to be used when signing messages.

Selector default

Gives the location of a private key to be used for signing ALL messages.

#KeyFile /etc/opendkim/keys/default.private

Gives the location of a file mapping key names to signing keys. In simple terms,

this tells OpenDKIM where to find your keys. If present, overrides any KeyFile

setting in the configuration file.

#KeyTable refile:/etc/opendkim/KeyTable
Keytable /etc/opendkim/KeyTable

Defines a table used to select one or more signatures to apply to a message based

on the address found in the From: header field. In simple terms, this tells

OpenDKIM how to use your keys.

#SigningTable refile:/etc/opendkim/SigningTable
SigningTable /etc/opendkim/SigningTable

Identifies a set of “external” hosts that may send mail through the server as one

of the signing domains without credentials as such.

ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

Identifies a set internal hosts whose mail should be signed rather than verified.

InternalHosts refile:/etc/opendkim/TrustedHosts

KeyTable

default._domainkey.kusikiliza.com kusikiliza.com:default:/etc/opendkim/keys/kusikiliza.com/default.private
default._domainkey.desertpursuit.com desertpursuit.com:default:/etc/opendkim/keys/desertpursuit.com/default.private
default._domainkey.deepsi.de deepsi.de:default:/etc/opendkim/keys/deepsi.de/default.private

SigningTable

kusikiliza.com default._domainkey.kusikiliza.com
desertpursuit.com default._domainkey.desertpursuit.com
deepsi.de default._domainkey.deepsi.de

TrustedHosts (pretty sure I don’t need the last 2 entries, perhaps someone can confirm)

127.0.0.1
localhost
stratus.kusikiliza.com
46.101.47.11
desertpursuit.com
deepsi.de


ls keys - has default.private and default.txt for deepsi.de desertpursuit.com kusikiliza.com

Sending to yahoo from deepsi.de

Jun 9 09:02:30 stratus postfix/smtps/smtpd[14967]: warning: hostname 197-83-247-60.dbn.mweb.co.za does not resolve to address 197.83.247.60: Name or service not known
Jun 9 09:02:30 stratus postfix/smtps/smtpd[14967]: connect from unknown[197.83.247.60]
Jun 9 09:02:31 stratus postfix/smtps/smtpd[14967]: 3E31CA1156: client=unknown[197.83.247.60], sasl_method=PLAIN, sasl_username=test
Jun 9 09:02:31 stratus postfix/cleanup[14971]: 3E31CA1156: message-id=55768F86.6010809@deepsi.de
Jun 9 09:02:31 stratus opendkim[18306]: 3E31CA1156: DKIM-Signature field added (s=default, d=deepsi.de)
Jun 9 09:02:31 stratus postfix/qmgr[21402]: 3E31CA1156: from=test@deepsi.de, size=590, nrcpt=1 (queue active)
Jun 9 09:02:31 stratus postfix/smtps/smtpd[14967]: disconnect from unknown[197.83.247.60]
Jun 9 09:02:33 stratus postfix/smtp[14972]: 3E31CA1156: to=alleyoopster@ymail.com, relay=mta5.am0.yahoodns.net[66.196.118.34]:25, delay=2.5, delays=0.52/0.01/0.42/1.5, dsn=2.0.0, status=sent (250 ok dirdel)
Jun 9 09:02:33 stratus postfix/qmgr[21402]: 3E31CA1156: removed


dig deepsi.de TXT

; <<>> DiG 9.9.5-9-Debian <<>> deepsi.de TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49209
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 8

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;deepsi.de. IN TXT

;; ANSWER SECTION:
deepsi.de. 3600 IN TXT “v=spf1 a mx a:deepsi.de ip4:46.101.47.11 ip4:46.101.47.11 ~all”

;; AUTHORITY SECTION:
deepsi.de. 2795 IN NS ns-usa.topdns.com.
deepsi.de. 2795 IN NS ns-canada.topdns.com.
deepsi.de. 2795 IN NS ns-uk.topdns.com.

;; ADDITIONAL SECTION:
ns-uk.topdns.com. 2795 IN A 108.61.150.91
ns-uk.topdns.com. 2795 IN A 77.247.183.137
ns-uk.topdns.com. 93415 IN AAAA 2001:19f0:200:3e75:225:90ff:fed4:c41c
ns-usa.topdns.com. 2795 IN A 85.159.232.241
ns-usa.topdns.com. 2795 IN A 108.61.12.163
ns-usa.topdns.com. 2795 IN A 208.64.126.195
ns-canada.topdns.com. 2795 IN A 109.201.142.225

;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 09 09:06:45 SAST 2015
;; MSG SIZE rcvd: 312

Header at Yahoo (in spam)

From test Tue Jun 9 07:02:30 2015
X-Apparently-To: alleyoopster@ymail.com; Tue, 09 Jun 2015 07:02:33 +0000
Return-Path: test@deepsi.de
X-YahooFilteredBulk: 46.101.47.11
Received-SPF: pass (domain of deepsi.de designates 46.101.47.11 as permitted sender)
X-YMailISG: gA34RMUWLDvb4aTVs_1GH0nBAHEr0SZmmCVzzybZt689GpFS
NQeDX4IbIG6hrKtqvssRvEjfUWhH2biPYXgzDiaoj0XePKvBeGRvteI1hBLI
F4czvYpDeETrIV8Vgw26lU6lwP8tqVm69_6WxyKE5qHxhNye9GbKqzi_9lxT
nSjXiKRjRUxv5t48r5uHydycbodGmJBLyVBZQ56Z78HunHsY9o2skmpogO01
MQR7W2SxjHiLynHgZ7dKJLcGopAZxd_lYqalOIZpiWu52zC3qqQ7EP9.DTGV
44g11Ba_q1D3zfFPxtU5wK_XXRwZNHX_.85ADf9ycjYNl0FYfR8A8yY4umKD
zgKeKuADZ9ipk9JH__HVBTDpMXSaogBKDS5Y2gs7HGUVjAGcthiAsAWxOSgc
d_WqCWZ4sl7BXB3zaIdHy9UT4ipyF5DLe7yk4WDgm1Wwfs8dflBv0EaLtSAO
kmMwlTYajfhcErV9s8WEI5nfC.ddNGktc9CH1u8TeHPZYqZgjASrycenEM.q
VSd9wOqeLMLAfVG3oG93nTIngNiGGzl0E4vCIhXAsDxpeVYcmdBOl9Lrl.oG
Luxy83_W3Z5eNEoxHaD1YqFSbyd6ev2b2fuyncwDx5hslQBPcu6XCY7e1jlG
CSQ6.bcHvQhM0ZAv53Ls4klB1_RtiGNL72DJ1KIdMSSgye8jXglAfOwNJqHq
Y5U5QgtXGSJWBpmTL3taVxq48Niip6XpT48yCYMRqGAVyMBTtFlYyuumcDN0
G3xPIL9hIzC3ZJFK68k8mLKI5y1FkBa9cmLSM1fSp3dgA2O2k3asI17Nc.Lg
jDZFgiSYcVKw7tSPsOQkSLbv4drQLBzLjIvXFkbL7MT9sI1NfivN.FyBOy_i
DwdGn7XxVWr9AvqyBJXO7hKeVHynd8RToObPNmehQAQuXgj6b2ymT.VUHhPk
uto4sMPz8w1POXYpHZeuSTsFDpnfoY4keQ0XfKUe0PC2rn_SYQYPTtbmTDb5
11CaX.e2sYNZTka7tZlzdPU.JR0cCKHqYiDtsD2famCcpGHNrrIlTAU78hDG
WctHEGv6rZic6LeuO9zgkGYDxEngPqFCPY0wFqN0xEbl1ABr8ABxRAmO4Bz0
uVw_dZJRUdtfOlOzZgwKvDsKEJK_LZ3aMnPGajVVKZ8o6K_sfdhn.pYQmyVR
Ud8Zi68QDS7SYdC7FXjB71DM5PLirVrdh8Y.QeXw0IsRvhWBymEojk3dJZHU
sQ68dvMHT7IEpjk47sNw6_Y2zozMl5yMuq748QEQjdnIQyIZ5ABcgjZPQhN8
MD_Fo7DFTgtGj4LrEksqd4Yg.EDSDfcmvMtc_jiyJkoEg30lNsNSKAOiUN2p
rbRkNXitp1mYQayKsDvjr3CaaB_mgKB3UaztMGqsJKUf8C43sVwqT6900siC
ozgWYBT2TAT2WWe7oDbJib40RRcYg35PJ8jLvu7_NRgHZ.jDvlHE1kb7ikTL
HOR41pgo0K7zYw–
X-Originating-IP: [46.101.47.11]
Authentication-Results: mta1135.mail.bf1.yahoo.com from=deepsi.de; domainkeys=neutral (no sig); from=deepsi.de; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO stratus.kusikiliza.com) (46.101.47.11)
by mta1135.mail.bf1.yahoo.com with SMTP; Tue, 09 Jun 2015 07:02:32 +0000
Received: from [192.168.0.200] (unknown [197.83.247.60])
by stratus.kusikiliza.com (Postfix) with ESMTPSA id 3E31CA1156
for alleyoopster@ymail.com; Tue, 9 Jun 2015 09:02:31 +0200 (SAST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=deepsi.de; s=default;
t=1433833351; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
h=Date:From:To:Subject;
b=iwjteqrfP8weckc6iWLzBDP9BrvZoi4Z8dA28TSng8Bu4x7mOJXaOqloFf8iIsSgm
Ayi1iSAbLWHI0IIx3O3NREYGE1XOMM6UY8Erdgiy6hWHTSEQnpo3z3Ek5J/9fJvbkL
I8sIbq2k1xTE7SjBiBoI7r8hhKeohkDQD58NP6Tg=
Message-ID: 55768F86.6010809@deepsi.de
Date: Tue, 09 Jun 2015 09:02:30 +0200
From: test test@deepsi.de
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: alleyoopster@ymail.com
Subject: test
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Length: 5


Header at Google (not marked as spam on my account, but is on others)
Delivered-To: alleyoopster@gmail.com
Received: by 10.79.14.73 with SMTP id 70csp2098560ivo;
Tue, 9 Jun 2015 00:09:52 -0700 (PDT)
X-Received: by 10.194.201.71 with SMTP id jy7mr38599658wjc.93.1433833792238;
Tue, 09 Jun 2015 00:09:52 -0700 (PDT)
Return-Path: test@deepsi.de
Received: from stratus.kusikiliza.com (stratus.kusikiliza.com. [46.101.47.11])
by mx.google.com with ESMTP id m6si1586778wif.81.2015.06.09.00.09.51
for alleyoopster@gmail.com;
Tue, 09 Jun 2015 00:09:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of test@deepsi.de designates 46.101.47.11 as permitted sender) client-ip=46.101.47.11;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of test@deepsi.de designates 46.101.47.11 as permitted sender) smtp.mail=test@deepsi.de;
dkim=pass header.i=@deepsi.de
Received: from [192.168.0.200] (unknown [197.83.247.60])
by stratus.kusikiliza.com (Postfix) with ESMTPSA id 58930A05BE
for alleyoopster@gmail.com; Tue, 9 Jun 2015 09:09:49 +0200 (SAST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=deepsi.de; s=default;
t=1433833790; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
h=Date:From:To:Subject;
b=mKODgCGuKjO94TUXXp+4/ppxEgCv4aHFs4dLgG3QID02SCQ1Mm4q+JNMVyXeWruUj
lI2P1jIBfFDcUzOX3qsbPMjRn+B8eryHv76+kh/eASSRLS8y2pyzZk4ky72XTWIyPJ
vksXhxMOXYjT11JKt+pWvdRVhRIz5FYcyJjaOQdg=
Message-ID: 5576913C.4010909@deepsi.de
Date: Tue, 09 Jun 2015 09:09:48 +0200
From: test test@deepsi.de
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Daniel Phillips alleyoopster@gmail.com
Subject: test
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit


Finally a mail from desertpursuit goes to spam everywhere.

I am getting good marks on the spam testers and do not seem to be on any notable IP or domain blacklists.

Signing table should be like this:

*@kusikiliza.com default._domainkey.kusikiliza.com
*@desertpursuit.com default._domainkey.desertpursuit.com
*@deepsi.de default._domainkey.deepsi.de
as you are using “refile” instead of “file”.

Trusted host:
127.0.0.1
host.yourdomain.com
yourdomain1.com
yourdomain2.com
yourdomain3.com
IP1
IP2
IP3
…

Check your DNS records for all domains including postfix settings. From the logs you posted i dont see anything wrong, but it could be other domains have problem to send.

Hi,

thanks again for helping.

I am not using refile - I had some problems when I tried it so I reverted back to not using it.

So do the trusted hosts need to include all the domain names that I am sending from ie deepsi.de and desertpursuit.com?

/etc/postfix/main.cf

See /usr/share/postfix/main.cf.dist for a commented, more complete version

Debian specific: Specifying a file name will cause the first

line of that file to be used as the name. The Debian default

is /etc/mailname.

#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

appending .domain is the MUA’s job.

append_dot_mydomain = no

Uncomment the next line to generate “delayed mail” warnings

#delay_warning_time = 4h

readme_directory = no

TLS parameters

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = stratus.kusikiliza.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
mydestination = $mydomain, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:10023
allow_percent_hack = no
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = high
mydomain = kusikiliza.com
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891

The DNS settings I think are good. deepsi.si has a remote nameserver, the others are all on the local server.

zone file for desertpursuit.com

$ttl 38400
@ IN SOA ns1.kusikiliza.com. root.ns1.kusikiliza.com. (
2015060903
10800
3600
604800
38400 )
@ IN NS ns1.kusikiliza.com.
@ IN NS ns2.kusikiliza.com.
desertpursuit.com. IN A 46.101.47.11
www.desertpursuit.com. IN A 46.101.47.11
ftp.desertpursuit.com. IN A 46.101.47.11
m.desertpursuit.com. IN A 46.101.47.11
localhost.desertpursuit.com. IN A 127.0.0.1
mail.desertpursuit.com. IN A 46.101.47.11
desertpursuit.com. IN MX 5 mail.desertpursuit.com.
desertpursuit.com. IN TXT “v=spf1 a mx a:desertpursuit.com mx:desertpursuit.com ip4:46.101.47.11 ~all”
autoconfig.desertpursuit.com. IN A 46.101.47.11
default._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; "
“p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjKb2eK4gJjvHu5QoTQ2ECdvpIyIOntdiu50iZVa3ltJOgiI6Rf/qxQPoDichpSyUrF/T07quvFfBtbP8rLlCHpw9h36KtBl0Hb7Y1DFDTH1RyxXqeBfzaKbZbGpJ5yKgqliee1zTuSWEL4r92ychnDaM3xVLmkx0zVn4y9la2gwIDAQAB” ) ; ----- DKIM key default for desertpursuit.com