Unable to deliver emails

24 posts / 0 new
Last post
#1 Thu, 06/04/2015 - 05:53
alleyoopster

Unable to deliver emails

Debian 8 32bit Virtualmin installed through virtualmin install script Webmin 1.750 VPS 512MB with digitalocean

I am updating this problem at the end of the today.

It seems that I am able to send email from only one of my domains. Here is the log when an email gets sent

Jun  4 17:26:43 stratus postfix/master[2026]: terminating on signal 15
Jun  4 17:26:43 stratus postfix/master[10535]: daemon started -- version 2.11.3, configuration /etc/postfix
Jun  4 17:27:05 stratus postfix/smtpd[10539]: warning: hostname 197-89-32-182.dsl.mweb.co.za does not resolve to address 197.89.32.182: Name or service not known
Jun  4 17:27:05 stratus postfix/smtpd[10539]: connect from unknown[197.89.32.182]
Jun  4 17:27:08 stratus postfix/trivial-rewrite[10543]: warning: do not list domain kusikiliza.com in BOTH mydestination and virtual_alias_domains
Jun  4 17:27:08 stratus postfix/smtpd[10539]: DD11BA0C80: client=unknown[197.89.32.182], sasl_method=PLAIN, sasl_username=daniel@kusikiliza.com
Jun  4 17:27:09 stratus postfix/cleanup[10544]: DD11BA0C80: message-id=<55706E48.7050809@kusikiliza.com>
Jun  4 17:27:09 stratus postfix/qmgr[10537]: DD11BA0C80: from=<daniel@kusikiliza.com>, size=590, nrcpt=1 (queue active)
Jun  4 17:27:09 stratus postfix/trivial-rewrite[10543]: warning: do not list domain kusikiliza.com in BOTH mydestination and virtual_alias_domains
Jun  4 17:27:10 stratus postfix/smtpd[10539]: disconnect from unknown[197.89.32.182]
Jun  4 17:27:12 stratus postfix/local[10545]: DD11BA0C80: to=<daniel-kusikiliza.com@kusikiliza.com>, orig_to=<daniel@kusikiliza.com>, relay=local, delay=3.5, delays=1.3/0.01/0/2.3, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Jun  4 17:27:12 stratus postfix/qmgr[10537]: DD11BA0C80: removed

Here is a log when the email fails. This is sent from another email address which always fails

Jun  4 17:28:12 stratus postfix/smtpd[10539]: warning: hostname 197-89-32-182.dsl.mweb.co.za does not resolve to address 197.89.32.182: Name or service not known
Jun  4 17:28:12 stratus postfix/smtpd[10539]: connect from unknown[197.89.32.182]
Jun  4 17:28:16 stratus postfix/smtpd[10539]: 55625A0C80: client=unknown[197.89.32.182], sasl_method=PLAIN, sasl_username=jules
Jun  4 17:28:17 stratus postfix/cleanup[10544]: 55625A0C80: message-id=<55706E8B.9060808@deepsi.de>
Jun  4 17:28:17 stratus postfix/qmgr[10537]: 55625A0C80: from=<jules@deepsi.de>, size=571, nrcpt=1 (queue active)
Jun  4 17:28:17 stratus postfix/smtp[10568]: 55625A0C80: to=<alleyoopster@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.78.27]:25, delay=1.9, delays=1.1/0.01/0.2/0.58, dsn=2.0.0, status=sent (250 2.0.0 OK 1433431698 qn7si7832954wjc.202 - gsmtp)
Jun  4 17:28:17 stratus postfix/qmgr[10537]: 55625A0C80: removed
Jun  4 17:28:18 stratus postfix/smtpd[10539]: disconnect from unknown[197.89.32.182]

/etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

/etc/postfix/master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp    inet    n       -       -       -       -       smtpd -o smtpd_sasl_auth_enable=yes
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps   inet    n       -       -       -       -       smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    unix  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

submission      inet    n       -       -       -       -       smtpd -o smtpd_sasl_auth_enable=yes

/etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = stratus.kusikiliza.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
mydestination = $mydomain, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
allow_percent_hack = no
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = high
mydomain = kusikiliza.com
stratus postfix[1561]: /usr/sbin/postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_...ictions
Jun 04 14:02:02 stratus postfix[1561]: /usr/sbin/postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
Jun 04 14:02:02 stratus postfix[1561]: /usr/sbin/postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_...ictions

thanks for you help

Thu, 06/04/2015 - 10:37
andreychek

Howdy,

Hmm, so when attempting to send an email, do you notice anything in Postfix that suggests that Thunderbird connected and tried to authenticate?

Also, are you able to send emails using other desktop-based mail clients -- perhaps something like Outlook?

And what about a webmail client such as RoundCube, does that work?

-Eric

Thu, 06/04/2015 - 10:51
alleyoopster

Hi andreychek,

thanks for helping out

I have just updated the post with my findings from today. It does not seem to be a client problem, but a problem with certain email addresses. In fact only emails from the main domain are getting delivered. See the beginning of post above for logs of the good send and a failed send.

I am using 2 emails, one from the main domain kusikiliza.com and one from deepsi.de. Deepsi.de is failing to send. I have just noticed that it can send to local email addresses such as to mail@kusikiliza.com, but fails to delivery anything externally. So that looks like the problem now.

Thunderbird is now connecting and able to authenticate with both test emails. I see the same problem when sending from usermin

Dan

Thu, 06/04/2015 - 11:01
andreychek

Howdy,

In the example that failed, the logs indicate that it did go out, and Gmail labeled the status as "sent".

Is it possible that the email ended up in a spam folder at Gmail?

-Eric

Thu, 06/04/2015 - 12:14 (Reply to #4)
alleyoopster

It is true that I have some now going into spam, but sometimes nothing.

I tried it from another domain desertpursuit.com and it did not go to spam and it was not received. Here is the log from that one (this was using usermin)

Jun  4 18:52:17 stratus postfix/smtpd[13924]: connect from localhost[127.0.0.1]
Jun  4 18:52:17 stratus postfix/smtpd[13924]: 76F7FA0C80: client=localhost[127.0.0.1]
Jun  4 18:52:17 stratus postfix/cleanup[13928]: 76F7FA0C80: message-id=<1433436737.13919@desertpursuit.com>
Jun  4 18:52:17 stratus postfix/qmgr[13905]: 76F7FA0C80: from=<jules@desertpursuit.com>, size=662, nrcpt=1 (queue active)
Jun  4 18:52:17 stratus postfix/smtpd[13924]: disconnect from localhost[127.0.0.1]
Jun  4 18:52:18 stratus postfix/smtp[13929]: 76F7FA0C80: to=<alleyoopster@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.78.26]:25, delay=0.83, delays=0.05/0.02/0.14/0.61, dsn=2.0.0, status=sent (250 2.0.0 OK 1433436738 d3si8286617wjr.121 - gsmtp)
Jun  4 18:52:18 stratus postfix/qmgr[13905]: 76F7FA0C80: removed

I doubt it is related, but I am also not able to use port 465 SSL for SMTP

EDIT: They just showed up in spam in one account, but disappeared in some other 3 accounts

Is there something I can do about the messages going into spam? Is there a reason some accounts gmail or other get nothing?

Thu, 06/04/2015 - 13:36
Diabolico
Diabolico's picture

From the log i can see you are not using DKIM... to make it clear with gmail/hotmail/outlook (many others) you must have enabled 3 things: DKIM, SPF and rDNS. If your emails are missing one of this three records the chance your emails will finish into spam folder or be automatically deleted is really really high.

For 465 port is easy to check, use telnet and try to connect. If you cant that means firewall is blocking, service is not listen, etc... if you can then the problem must be with your settings in mail server.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Thu, 06/04/2015 - 14:45
alleyoopster

Thanks for that, that was a big help.

For some reason 465 was not open in the default firewall, so I added it and that is working now.

I now have installed DKIM and rDNS seems to be working now.

Just trying to work out SPF

Thu, 06/04/2015 - 17:11
Diabolico
Diabolico's picture

This should work:

yourdomain.com. IN TXT "v=spf1 a mx a:hostname.yourdomain.com mx:yourdomain.com ip4:111.111.111.111 ~all"
yourdomain.com. IN SPF "v=spf1 a mx a:hostname.yourdomain.com mx:yourdomain.com ip4:111.111.111.111 ~all"

If you have IPv6 then add after IPv4 - "ip6:your-IPv6-address". Personally i have set to "-all" but this is only if you are really sure what are you doing, if not leave as it is.

This is example if you are hosting your mail server, in case you are using external service such GoogleApps then you must change/add info from that service.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Thu, 06/04/2015 - 17:41
Diabolico
Diabolico's picture

DMARC - this is optional but i would suggest you to use it. IMPORTANT: use only once you sort your SPF and DKIM records and i would suggest in this case to set SPF to "-all".

_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:postmaster@yourdomain.com; ruf=mailto:postmaster@yourdomain.com; rf=afrf; pct=100; ri=86400"

Explanation:
p=reject - domain policy - telling to the ISP what to do with emails what fail SPF & DKIM records

sp=reject - subdomain policy - same as for domain but for your subdomain

adkim=s; & aspf=s; - remove first 2-3 days and once you see everything works put it back

rua & ruf - email where you want to receive the reports;
some ISP do not honor both options but usually they are fine with rua;
keep both and leave to ISP to decide what option will use

ri=86400 - reporting interval for 24 hours; no need to put shorter

More details here: http://www.zytrax.com/books/dns/ch9/dmarc.html but you will be fine with example what i posted here.

EDIT: Forgot to say, once you implement DMARC you will start receiving emails from gmail and others with statistics usually as attachment (once per day). So just to tell you now if not you could start to wonder from where and why this emails are coming into your inbox.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Fri, 06/05/2015 - 02:05
alleyoopster

Hey, thanks for all that information. I have gone through and set that up.

Working on one domain I have rDNS, SPF, DKIM and DMARC active now. I have done some tests with http://dkimvalidator.com/ and http://mail-tester.com and they give positive results.

The former reported: SpamAssassin Score: 0.11 Message is NOT marked as spam Points breakdown: 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

What I find on http://mxtoolbox.com was: blacklist desertpursuit.com Blacklisted by SEM FRESH

This looks like new domains are blacklisted and maybe the problem. I am going to try the other domains and see if I get better luck.

Can I do anything about the DKIM not necessarily valid and sig header not valid?

Fri, 06/05/2015 - 02:47
Diabolico
Diabolico's picture

Try to log into Usermin and send one email. Then check the mail log and you should see that DKIM signed that email, e.g. one line should say " ... DKIM-Signature field added (s=mail, d=yourdomain.com)". If you are missing this line that means DKIM is not working properly.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Fri, 06/05/2015 - 08:51
alleyoopster
Jun  5 09:58:19 stratus postfix/smtpd[16182]: connect from localhost[127.0.0.1]
Jun  5 09:58:19 stratus postfix/smtpd[16182]: AF278A3C15: client=localhost[127.0.0.1]
Jun  5 09:58:19 stratus postfix/cleanup[16185]: AF278A3C15: message-id=<1433491099.16177@desertpursuit.com>
Jun  5 09:58:19 stratus postfix/smtpd[16182]: disconnect from localhost[127.0.0.1]
Jun  5 09:58:19 stratus postfix/qmgr[22609]: AF278A3C15: from=<jules@desertpursuit.com>, size=700, nrcpt=1 (queue active)
Jun  5 09:58:20 stratus postfix/smtp[16186]: AF278A3C15: to=<alleyoopster@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.71.27]:25, delay=1.2, delays=0.1/0.02/0.46/0.62, dsn=2.0.0, status=sent (250 2.0.0 OK 1433491100 o6si2735274wiy.112 - gsmtp)                 
Jun  5 09:58:20 stratus postfix/qmgr[22609]: AF278A3C15: removed                 

Looks like it's not working

Same thing on another domain that I have set DNS records manually externally

Jun  5 15:16:27 stratus postfix/smtps/smtpd[27659]: connect from unknown[197.83.247.60]
Jun  5 15:16:28 stratus postfix/smtps/smtpd[27659]: 5BF6FA3BA1: client=unknown[197.83.247.60], sasl_method=PLAIN, sasl_username=jules
Jun  5 15:16:28 stratus postfix/cleanup[27663]: 5BF6FA3BA1: message-id=<5571A12B.6010009@deepsi.de>
Jun  5 15:16:28 stratus postfix/qmgr[22609]: 5BF6FA3BA1: from=<jules@deepsi.de>, size=608, nrcpt=1 (queue active)
Jun  5 15:16:28 stratus postfix/smtp[27664]: connect to gmail-smtp-in.l.google.com[2a00:1450:400c:c02::1b]:25: Network is unreachable
Jun  5 15:16:29 stratus postfix/smtps/smtpd[27659]: disconnect from unknown[197.83.247.60]
Jun  5 15:16:29 stratus postfix/smtp[27664]: 5BF6FA3BA1: to=<alleyoopster@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.71.26]:25, delay=1.3, delays=0.56/0.01/0.15/0.59, dsn=2.0.0, status=sent (250 2.0.0 OK 1433510189 fm3si4068557wic.41 - gsmtp)
Jun  5 15:16:29 stratus postfix/qmgr[22609]: 5BF6FA3BA1: removed

And this in the receiving email header dkim=temperror (no key for signature) header.i=@deepsi.de

The correct DNS entry is in place that is copied from the DomainKey option page.

Is there a problem in the way Virtualmin sets up DKIM or have I missed something?

Fri, 06/05/2015 - 15:00
Diabolico
Diabolico's picture

What i know is that DKIM is working out of the box if you install over Virtualmin but i didnt like how the options/settings are handled so i went to manually setup everything. What i think the problem could be in postfix not allowing DKIM to sign outgoing emails but there is so many other things what could be wrong.

Check this forum, there was one-two topics in last 2 weeks (more or less) where i help people with similar problem. You could follow same advice what i gave to them and see if will work. But before anything check this link http://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum... and see if you did all necessary steps to setup everything.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 06/08/2015 - 05:53
alleyoopster

Thanks for advice and links. After some fiddling this weekend I got my main domain working. I didn't have luck (probably me rather than the link) with the link you gave. Found this worked better https://tipstricks.itmatrix.eu/installing-opendkim-in-debian-squeeze/ as it was for Debian.

(EDIT: Got it working with http://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum... now also)

So now I am getting validated through the likes of port25 and seeing passed in the gmail headers when it arrives. Mail log is showing message validation.

I found as soon as I enabled DKIM within Virtualmin, it broke the signing. Putting in a custom key seems to fix this for one of the domains, but I noticed that Virtualmin, while respecting some of the settings in opendkim.conf, other settings and where it places keys are unique to Virtualmin. Trying to troubleshoot then gets much more complicated and I have no control over Virtualmin's changes.

What I want to do now is use Virtualmin to add the other domains. Is this possible or will I have to always add them manually? It seems that maybe Virtualmin DKIM is broken (at least on Debian 8) my install of Virtualmin was a virgin install and it didn't work out of the box, so I am wondering if there is a bug here?

Mon, 06/08/2015 - 06:16
Diabolico
Diabolico's picture

Go full manually as Virtualmin is horrendous with DKIM settings, its like missing more than 50% (and i'm generous here) of all options you could have or set inside DKIM. Check inside opendkim.conf for "Mode sv", "Syslog yes" and "SyslogSuccess yes". If missing add this values. This should sort why you dont see DKIM in mail logs.

Now if you can send email from other domain but no dkim that means you miss something in dkim settings/keys, if you cant send email at all then you should check postfix.

Either way i would avoid any script to add domains and just set everything manually. Not sure what is specific with Debian and link you posted but one i gave you have much better explanation what to do. You can always take that one and just use Debian specific commands as everything else is pretty much the same.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 06/08/2015 - 10:24
alleyoopster

Thanks Diabolico. Looks like our posts crossed as I had just edited my post to say that I got the stevejenkins post to work. Your right. it is a better post and I must have missed something last time I went through it.

I am curious to know why you wouldn't use a script. For me it minimised the risk of error, simplifies the process and it is a lot faster. In fact I think the original mistake I made was with the manual addition of a domain name.

So, I know have DKIM working on all domains, but still loosing email going to some providers. It fails going to iCloud and yahoo, but gmail seems a little happier with one of the domains. Not sure what else I can do.

With regards to Virtualmin, I think that email is a big part of the setup and most people, if not all people would want DKIM and I think it's worth filing a bug for it not working with Debian 8 (I haven't tried others yet)

Mon, 06/08/2015 - 16:47
Diabolico
Diabolico's picture

Scripts are ok when fully tested and you have huge amount of operations what they could cut down/minimize but if not tested even if works on same OS that doesnt mean it will work for you. For example last time i trusted Wmin to change one single thing in Postfix settings it just blown in my face several hours of fine tuning, no need to say how angry i was. I'm sure for 99% people it worked perfectly but not for me, luckily i had backup.

If you edited your opendkim.conf as i said now you should see in mail log if your emails get signed by DKIM or not. You can always post here your opendkim.conf so someone can check if everything is ok. Aside of DKIM you didnt say why your emails are failing with some providers, again check your logs it should say the reason or check email header once the email is delivered and see what is wrong.

Last but not least, i told you to not use DMARC and "-all" (but "~all") in SPF if you didnt set everything. DNS records i gave you are really strict/tight and if any problem is present emails will get deleted/marked as spam by most ISP/mail servers because you actually instructed them to do such thing. Great to prevent email abuse but bad if you have any problem with your mail server.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Tue, 06/09/2015 - 03:26
alleyoopster

I can understand the frustration with using scripts and GUI to alter configs. They're a bit of a double edge sword, so goo for some things, but can be the cause of agro for others. Glad you had a backup!

Here are the relevant logs and config files starting with

opendkim.conf

## CONFIGURATION OPTIONS

# Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid

# Selects operating modes. Valid modes are s (signer) and v (verifier). Default is v.
Mode    sv

# Log activity to the system log.
Syslog  yes

# Log additional entries indicating successful signing or verification of messages.
SyslogSuccess yes

# If logging is enabled, include detailed logging about why or why not a message was
# signed or verified. This causes a large increase in the amount of log data generated
# for each message, so it should be limited to debugging use only.
LogWhy yes

# Attempt to become the specified user before starting operations.
UserID  opendkim:opendkim

# Create a socket through which your MTA can communicate.
Socket  inet:8891@127.0.0.1

# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
Umask   002
                                                                                                                                     
# This specifies a file in which to store DKIM transaction statistics.                                                               
#Statistics              /var/spool/opendkim/stats.dat                                                                               
                                                                                                                                     
## SIGNING OPTIONS                                                                                                                   
                                                                                                                                     
# Selects the canonicalization method(s) to be used when signing messages.                                                           
Canonicalization        relaxed/simple                                                                                               
                                                                                                                                     
# Domain(s) whose mail should be signed by this filter. Mail from other domains will                                                 
# be verified rather than being signed. Uncomment and use your domain name.                                                          
# This parameter is not required if a SigningTable is in use.                                                                        
#Domain                  example.com                                                                                                 
                                                                                                                                     
# Defines the name of the selector to be used when signing messages.                                                                 
Selector                default                                                                                                      
                                                                                                                                     
# Gives the location of a private key to be used for signing ALL messages.                                                           
#KeyFile                 /etc/opendkim/keys/default.private                                                                          
                                                                                                                                     
# Gives the location of a file mapping key names to signing keys. In simple terms,                                                   
# this tells OpenDKIM where to find your keys. If present, overrides any KeyFile                                                     
# setting in the configuration file.                                                                                                 
#KeyTable                 refile:/etc/opendkim/KeyTable                                                                              
Keytable                /etc/opendkim/KeyTable                                                                                       
                                                                                                                                     
# Defines a table used to select one or more signatures to apply to a message based                                                  
# on the address found in the From: header field. In simple terms, this tells                                                        
# OpenDKIM how to use your keys.                                                                                                     
#SigningTable                 refile:/etc/opendkim/SigningTable
SigningTable            /etc/opendkim/SigningTable

# Identifies a set of "external" hosts that may send mail through the server as one
# of the signing domains without credentials as such.
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts

# Identifies a set internal hosts whose mail should be signed rather than verified.
InternalHosts           refile:/etc/opendkim/TrustedHosts

KeyTable

default._domainkey.kusikiliza.com kusikiliza.com:default:/etc/opendkim/keys/kusikiliza.com/default.private
default._domainkey.desertpursuit.com desertpursuit.com:default:/etc/opendkim/keys/desertpursuit.com/default.private
default._domainkey.deepsi.de deepsi.de:default:/etc/opendkim/keys/deepsi.de/default.private

SigningTable

kusikiliza.com default._domainkey.kusikiliza.com
desertpursuit.com default._domainkey.desertpursuit.com
deepsi.de default._domainkey.deepsi.de

TrustedHosts (pretty sure I don't need the last 2 entries, perhaps someone can confirm)

127.0.0.1
localhost
stratus.kusikiliza.com
46.101.47.11
desertpursuit.com
deepsi.de

ls keys - has default.private and default.txt for deepsi.de desertpursuit.com kusikiliza.com

Sending to yahoo from deepsi.de

Jun  9 09:02:30 stratus postfix/smtps/smtpd[14967]: warning: hostname 197-83-247-60.dbn.mweb.co.za does not resolve to address 197.83.247.60: Name or service not known
Jun  9 09:02:30 stratus postfix/smtps/smtpd[14967]: connect from unknown[197.83.247.60]
Jun  9 09:02:31 stratus postfix/smtps/smtpd[14967]: 3E31CA1156: client=unknown[197.83.247.60], sasl_method=PLAIN, sasl_username=test
Jun  9 09:02:31 stratus postfix/cleanup[14971]: 3E31CA1156: message-id=<55768F86.6010809@deepsi.de>
Jun  9 09:02:31 stratus opendkim[18306]: 3E31CA1156: DKIM-Signature field added (s=default, d=deepsi.de)
Jun  9 09:02:31 stratus postfix/qmgr[21402]: 3E31CA1156: from=<test@deepsi.de>, size=590, nrcpt=1 (queue active)
Jun  9 09:02:31 stratus postfix/smtps/smtpd[14967]: disconnect from unknown[197.83.247.60]
Jun  9 09:02:33 stratus postfix/smtp[14972]: 3E31CA1156: to=<alleyoopster@ymail.com>, relay=mta5.am0.yahoodns.net[66.196.118.34]:25, delay=2.5, delays=0.52/0.01/0.42/1.5, dsn=2.0.0, status=sent (250 ok dirdel)
Jun  9 09:02:33 stratus postfix/qmgr[21402]: 3E31CA1156: removed

dig deepsi.de TXT

; <<>> DiG 9.9.5-9-Debian <<>> deepsi.de TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49209
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 8

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;deepsi.de.                     IN      TXT

;; ANSWER SECTION:
deepsi.de.              3600    IN      TXT     "v=spf1 a mx a:deepsi.de ip4:46.101.47.11 ip4:46.101.47.11 ~all"

;; AUTHORITY SECTION:
deepsi.de.              2795    IN      NS      ns-usa.topdns.com.
deepsi.de.              2795    IN      NS      ns-canada.topdns.com.
deepsi.de.              2795    IN      NS      ns-uk.topdns.com.

;; ADDITIONAL SECTION:
ns-uk.topdns.com.       2795    IN      A       108.61.150.91
ns-uk.topdns.com.       2795    IN      A       77.247.183.137
ns-uk.topdns.com.       93415   IN      AAAA    2001:19f0:200:3e75:225:90ff:fed4:c41c
ns-usa.topdns.com.      2795    IN      A       85.159.232.241
ns-usa.topdns.com.      2795    IN      A       108.61.12.163
ns-usa.topdns.com.      2795    IN      A       208.64.126.195
ns-canada.topdns.com.   2795    IN      A       109.201.142.225

;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 09 09:06:45 SAST 2015
;; MSG SIZE  rcvd: 312

Header at Yahoo (in spam)

From test Tue Jun  9 07:02:30 2015
X-Apparently-To: alleyoopster@ymail.com; Tue, 09 Jun 2015 07:02:33 +0000
Return-Path: <test@deepsi.de>
X-YahooFilteredBulk: 46.101.47.11
Received-SPF: pass (domain of deepsi.de designates 46.101.47.11 as permitted sender)
X-YMailISG: gA34RMUWLDvb4aTVs_1GH0nBAHEr0SZmmCVzzybZt689GpFS
NQeDX4IbIG6hrKtqvssRvEjfUWhH2biPYXgzDiaoj0XePKvBeGRvteI1hBLI
F4czvYpDeETrIV8Vgw26lU6lwP8tqVm69_6WxyKE5qHxhNye9GbKqzi_9lxT
nSjXiKRjRUxv5t48r5uHydycbodGmJBLyVBZQ56Z78HunHsY9o2skmpogO01
MQR7W2SxjHiLynHgZ7dKJLcGopAZxd_lYqalOIZpiWu52zC3qqQ7EP9.DTGV
44g11Ba_q1D3zfFPxtU5wK_XXRwZNHX_.85ADf9ycjYNl0FYfR8A8yY4umKD
zgKeKuADZ9ipk9JH__HVBTDpMXSaogBKDS5Y2gs7HGUVjAGcthiAsAWxOSgc
d_WqCWZ4sl7BXB3zaIdHy9UT4ipyF5DLe7yk4WDgm1Wwfs8dflBv0EaLtSAO
kmMwlTYajfhcErV9s8WEI5nfC.ddNGktc9CH1u8TeHPZYqZgjASrycenEM.q
VSd9wOqeLMLAfVG3oG93nTIngNiGGzl0E4vCIhXAsDxpeVYcmdBOl9Lrl.oG
Luxy83_W3Z5eNEoxHaD1YqFSbyd6ev2b2fuyncwDx5hslQBPcu6XCY7e1jlG
CSQ6.bcHvQhM0ZAv53Ls4klB1_RtiGNL72DJ1KIdMSSgye8jXglAfOwNJqHq
Y5U5QgtXGSJWBpmTL3taVxq48Niip6XpT48yCYMRqGAVyMBTtFlYyuumcDN0
G3xPIL9hIzC3ZJFK68k8mLKI5y1FkBa9cmLSM1fSp3dgA2O2k3asI17Nc.Lg
jDZFgiSYcVKw7tSPsOQkSLbv4drQLBzLjIvXFkbL7MT9sI1NfivN.FyBOy_i
DwdGn7XxVWr9AvqyBJXO7hKeVHynd8RToObPNmehQAQuXgj6b2ymT.VUHhPk
uto4sMPz8w1POXYpHZeuSTsFDpnfoY4keQ0XfKUe0PC2rn_SYQYPTtbmTDb5
11CaX.e2sYNZTka7tZlzdPU.JR0cCKHqYiDtsD2famCcpGHNrrIlTAU78hDG
WctHEGv6rZic6LeuO9zgkGYDxEngPqFCPY0wFqN0xEbl1ABr8ABxRAmO4Bz0
uVw_dZJRUdtfOlOzZgwKvDsKEJK_LZ3aMnPGajVVKZ8o6K_sfdhn.pYQmyVR
Ud8Zi68QDS7SYdC7FXjB71DM5PLirVrdh8Y.QeXw0IsRvhWBymEojk3dJZHU
sQ68dvMHT7IEpjk47sNw6_Y2zozMl5yMuq748QEQjdnIQyIZ5ABcgjZPQhN8
MD_Fo7DFTgtGj4LrEksqd4Yg.EDSDfcmvMtc_jiyJkoEg30lNsNSKAOiUN2p
rbRkNXitp1mYQayKsDvjr3CaaB_mgKB3UaztMGqsJKUf8C43sVwqT6900siC
ozgWYBT2TAT2WWe7oDbJib40RRcYg35PJ8jLvu7_NRgHZ.jDvlHE1kb7ikTL
HOR41pgo0K7zYw--
X-Originating-IP: [46.101.47.11]
Authentication-Results: mta1135.mail.bf1.yahoo.com  from=deepsi.de; domainkeys=neutral (no sig);  from=deepsi.de; dkim=pass (ok)
Received: from 127.0.0.1  (EHLO stratus.kusikiliza.com) (46.101.47.11)
  by mta1135.mail.bf1.yahoo.com with SMTP; Tue, 09 Jun 2015 07:02:32 +0000
Received: from [192.168.0.200] (unknown [197.83.247.60])
by stratus.kusikiliza.com (Postfix) with ESMTPSA id 3E31CA1156
for <alleyoopster@ymail.com>; Tue,  9 Jun 2015 09:02:31 +0200 (SAST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=deepsi.de; s=default;
t=1433833351; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
h=Date:From:To:Subject;
b=iwjteqrfP8weckc6iWLzBDP9BrvZoi4Z8dA28TSng8Bu4x7mOJXaOqloFf8iIsSgm
Ayi1iSAbLWHI0IIx3O3NREYGE1XOMM6UY8Erdgiy6hWHTSEQnpo3z3Ek5J/9fJvbkL
I8sIbq2k1xTE7SjBiBoI7r8hhKeohkDQD58NP6Tg=
Message-ID: <55768F86.6010809@deepsi.de>
Date: Tue, 09 Jun 2015 09:02:30 +0200
From: test <test@deepsi.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: alleyoopster@ymail.com
Subject: test
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Length: 5

Header at Google (not marked as spam on my account, but is on others)

Delivered-To: alleyoopster@gmail.com
Received: by 10.79.14.73 with SMTP id 70csp2098560ivo;
        Tue, 9 Jun 2015 00:09:52 -0700 (PDT)
X-Received: by 10.194.201.71 with SMTP id jy7mr38599658wjc.93.1433833792238;
        Tue, 09 Jun 2015 00:09:52 -0700 (PDT)
Return-Path: <test@deepsi.de>
Received: from stratus.kusikiliza.com (stratus.kusikiliza.com. [46.101.47.11])
        by mx.google.com with ESMTP id m6si1586778wif.81.2015.06.09.00.09.51
        for <alleyoopster@gmail.com>;
        Tue, 09 Jun 2015 00:09:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of test@deepsi.de designates 46.101.47.11 as permitted sender) client-ip=46.101.47.11;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of test@deepsi.de designates 46.101.47.11 as permitted sender) smtp.mail=test@deepsi.de;
       dkim=pass header.i=@deepsi.de
Received: from [192.168.0.200] (unknown [197.83.247.60])
by stratus.kusikiliza.com (Postfix) with ESMTPSA id 58930A05BE
for <alleyoopster@gmail.com>; Tue,  9 Jun 2015 09:09:49 +0200 (SAST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=deepsi.de; s=default;
t=1433833790; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
h=Date:From:To:Subject;
b=mKODgCGuKjO94TUXXp+4/ppxEgCv4aHFs4dLgG3QID02SCQ1Mm4q+JNMVyXeWruUj
lI2P1jIBfFDcUzOX3qsbPMjRn+B8eryHv76+kh/eASSRLS8y2pyzZk4ky72XTWIyPJ
vksXhxMOXYjT11JKt+pWvdRVhRIz5FYcyJjaOQdg=
Message-ID: <5576913C.4010909@deepsi.de>
Date: Tue, 09 Jun 2015 09:09:48 +0200
From: test <test@deepsi.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Daniel Phillips <alleyoopster@gmail.com>
Subject: test
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Finally a mail from desertpursuit goes to spam everywhere.

I am getting good marks on the spam testers and do not seem to be on any notable IP or domain blacklists.

Tue, 06/09/2015 - 05:00
Diabolico
Diabolico's picture

Signing table should be like this:

*@kusikiliza.com default._domainkey.kusikiliza.com
*@desertpursuit.com default._domainkey.desertpursuit.com
*@deepsi.de default._domainkey.deepsi.de

as you are using "refile" instead of "file".

Trusted host:

127.0.0.1
host.yourdomain.com
yourdomain1.com
yourdomain2.com
yourdomain3.com
IP1
IP2
IP3
.....

Check your DNS records for all domains including postfix settings. From the logs you posted i dont see anything wrong, but it could be other domains have problem to send.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Tue, 06/09/2015 - 05:08
alleyoopster

Hi,

thanks again for helping.

I am not using refile - I had some problems when I tried it so I reverted back to not using it.

So do the trusted hosts need to include all the domain names that I am sending from ie deepsi.de and desertpursuit.com?

/etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination                                      
myhostname = stratus.kusikiliza.com                                                                                                  
alias_maps = hash:/etc/aliases                                                                                                       
alias_database = hash:/etc/aliases                                                                                                   
myorigin = $mydomain                                                                                                                 
mydestination = $mydomain, localhost.$mydomain, localhost                                                                            
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128                                                                            
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME                                                                
mailbox_size_limit = 0                                                                                                               
recipient_delimiter = +                                                                                                              
virtual_alias_maps = hash:/etc/postfix/virtual                                                                                       
sender_bcc_maps = hash:/etc/postfix/bcc                                                                                              
home_mailbox = Maildir/                                                                                                              
smtpd_sasl_auth_enable = yes                                                                                                         
broken_sasl_auth_clients = yes                                                                                                       
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:10023                                                                                                                             
allow_percent_hack = no                                                                                                              
smtpd_tls_mandatory_protocols = SSLv3, TLSv1                                                                                         
smtpd_tls_mandatory_ciphers = high                                                                                                   
mydomain = kusikiliza.com                                                                                                            
milter_default_action = accept                                                                                                       
milter_protocol = 2                                                                                                                  
smtpd_milters = inet:127.0.0.1:8891                                                                                                  
non_smtpd_milters = inet:127.0.0.1:8891 

The DNS settings I think are good. deepsi.si has a remote nameserver, the others are all on the local server.

zone file for desertpursuit.com

$ttl 38400
@ IN SOA ns1.kusikiliza.com. root.ns1.kusikiliza.com. (
2015060903
10800
3600
604800
38400 )
@ IN NS ns1.kusikiliza.com.
@ IN NS ns2.kusikiliza.com.
desertpursuit.com. IN A 46.101.47.11
www.desertpursuit.com. IN A 46.101.47.11
ftp.desertpursuit.com. IN A 46.101.47.11
m.desertpursuit.com. IN A 46.101.47.11
localhost.desertpursuit.com. IN A 127.0.0.1
mail.desertpursuit.com. IN A 46.101.47.11
desertpursuit.com. IN MX 5 mail.desertpursuit.com.
desertpursuit.com. IN TXT "v=spf1 a mx a:desertpursuit.com mx:desertpursuit.com ip4:46.101.47.11 ~all"
autoconfig.desertpursuit.com. IN A 46.101.47.11
default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; s=email; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjKb2eK4gJjvHu5QoTQ2ECdvpIyIOntdiu50iZVa3ltJOgiI6Rf/qxQPoDichpSyUrF/T07quvFfBtbP8rLlCHpw9h36KtBl0Hb7Y1DFDTH1RyxXqeBfzaKbZbGpJ5yKgqliee1zTuSWEL4r92ychnDaM3xVLmkx0zVn4y9la2gwIDAQAB" )  ; ----- DKIM key default for desertpursuit.com
Tue, 06/09/2015 - 15:30
Diabolico
Diabolico's picture

For main.cf please check the forum, there should be 2 big topics where i help other people with settings. For DNS remove "----- DKIM key default for desertpursuit.com" because sometimes it can cause a problems and really no need to use it anyway. While you play around DNS you can lower TTL to 300sec so you dont need to wait 10h and 40min for changes to take effect.

P.S. Changes in TTL will take effect after old one expire, e.g. for TTL of 5 min you must wait for old TTL to expire in this case it will be almost 11 hours.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Wed, 06/10/2015 - 04:49
alleyoopster

I have just moved the server to another location in hope that that would stop the spamminess of the emails, but so far no change.

Followed the DNS advice, thanks.

Are there changes I could make to main.cf that would help with this problem? I did some searching for the topics you suggested not getting anything. Can you be more specific with topic name or date of topic? thanks

Thu, 06/11/2015 - 06:36
Diabolico
Diabolico's picture

When you say "spamminess" you mean your emails get marked as spam, you get a lot of spam or both? For the topic title sorry i cant remember and this forum is a mess, try to use google to search for my name.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Thu, 06/11/2015 - 07:43
alleyoopster

Spamminess meaning emails get marked as spam

In my changing around and setting up on another server and still getting the problem I decided to run up another server at the same location (different IP, but same range) and do a quick test with Mail-in-a-Box.

It was pretty quick to get it working and I sent a test mail to google and yahoo and both were successfully delivered and not marked as spam.

Here are the headers for the message marked as spam from the email server configured with virtualbox

Delivered-To: removed@gmail.com
Received: by 10.229.86.2 with SMTP id q2csp4598591qcl;
        Thu, 11 Jun 2015 01:29:24 -0700 (PDT)
X-Received: by 10.180.73.10 with SMTP id h10mr17168564wiv.3.1434011363681;
        Thu, 11 Jun 2015 01:29:23 -0700 (PDT)
Return-Path: <removed@kusikiliza.com>
Received: from stratus.kusikiliza.com (stratus.kusikiliza.com. [188.226.145.162])
        by mx.google.com with ESMTP id w1si23185351wju.16.2015.06.11.01.29.22
        for <removed@gmail.com>;
        Thu, 11 Jun 2015 01:29:23 -0700 (PDT)
Received-SPF: pass (google.com: domain of removed@kusikiliza.com designates 188.226.145.162 as permitted sender) client-ip=188.226.145.162;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of removed@kusikiliza.com designates 188.226.145.162 as permitted sender) smtp.mail=removed@kusikiliza.com;
       dkim=pass header.i=@kusikiliza.com
Received: from [192.168.0.200] (unknown [197.87.145.202])
by stratus.kusikiliza.com (Postfix) with ESMTPSA id 6C427A0554
for <removed@gmail.com>; Thu, 11 Jun 2015 10:29:21 +0200 (SAST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kusikiliza.com;
s=default; t=1434011362;
bh=dYIangUNfdcPXK94RrQIOlKBMPfrdq+H1k8dWbSxC0k=;
h=Date:From:To:Subject;
b=wUDV1PErtg+w+oohn3zKilKbo9KD8snGlQAQVl6ZwLX8pU/4VS+UqSa7zoloJBrms
9mWgrZl1f/abvMTUc12h06STvfQ+N8omf1qlM4DHH1wFa9XhV7WrZTZ0jCOezX2XOh
N7c4Kh77NguZbgGJ7wpkOrlnCLcil/DBLwCjeQaQ=
Message-ID: <557946DF.60300@kusikiliza.com>
Date: Thu, 11 Jun 2015 10:29:19 +0200
From: removed Phillips <removed@kusikiliza.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0

and here a successfully delivered email not being classified as spam sent from Mail-in-a-Box

Delivered-To: removed@gmail.com
Received: by 10.229.86.2 with SMTP id q2csp4629190qcl;
        Thu, 11 Jun 2015 02:29:35 -0700 (PDT)
X-Received: by 10.194.95.41 with SMTP id dh9mr14967858wjb.55.1434014975417;
        Thu, 11 Jun 2015 02:29:35 -0700 (PDT)
Return-Path: <me@aurorarelaxationholidays.com>
Received: from box.aurorarelaxationholidays.com ([188.226.235.121])
        by mx.google.com with ESMTPS id hq3si863782wib.22.2015.06.11.02.29.34
        for <removed@gmail.com>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 11 Jun 2015 02:29:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of me@aurorarelaxationholidays.com designates 188.226.235.121 as permitted sender) client-ip=188.226.235.121;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of me@aurorarelaxationholidays.com designates 188.226.235.121 as permitted sender) smtp.mail=me@aurorarelaxationholidays.com;
       dkim=pass header.i=@aurorarelaxationholidays.com;
       dmarc=pass (p=QUARANTINE dis=NONE) header.from=aurorarelaxationholidays.com
Received: from authenticated-user (unknown [127.0.0.1])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by box.aurorarelaxationholidays.com (Postfix) with ESMTPSA id E267E143339
for <removed@gmail.com>; Thu, 11 Jun 2015 05:29:33 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=aurorarelaxationholidays.com; s=mail; t=1434014973;
bh=znoxKe+g0YpDbYzC5kfOPxk5YIpOxiNhRRNDoORgfHc=;
h=Date:From:To:Subject:From;
b=xio3Vr1dcHJGAZYLEsXwPCxZEa59OcgppfsZrO9bBNZsksOUsTOW/E88E/OdhiQAy
HltB2HcQYWFP2eYaCGSVNfvu8hYbd4HRAcVdDg1UjMSDZNy6YKdpUo7Huq/bfdOaa5
hOq0+fQp1351msbzIOWa6jQNTaEyYCXVNKEM3yLE=
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
format=flowed
Content-Transfer-Encoding: 7bit

The clear differences are dmarc and "Received: from authenticated-user"

UPDATE: As I write this post I have been testing sending emails and I seem to be getting some success with delivery now, but only with Usermin. What seems to fail is sending through Thunderbird.