zenlan
By:
zenlan

DNS configuration for UK2 domains on DigitalOcean droplet

October 13, 2016 743 views
DNS Configuration Management Networking Ubuntu 16.04

I have 3 domains registered with UK2.net. I want all of them to point to the same IP. zenlan.com, zenlan.org and zenlan.co.uk.

I used the .org domain while setting up my droplet. I setup a DO domain record using DO nameservers and configured postfix to use the UK2 smtp server. In the UK2 control panel I changed nameservers to those of DO and changed the IP of the A record to my DO floating IP.

All went well, DNS propagated, mail was sending (and arriving), it even got an A rating from SSLLabs.

After much testing I then added the .co.uk domain.

All was good so I decided to bite the bullet and transfer the final domain, the .com. I setup a DO domain as per the .org and .co.uk. I reconfigured postfix from .org to .com (main.cf and mailname) and updated the LetsEncrypt cert to include all 3 domains. The site appears mainly fine, for all domains and with SSL.

However, there are now 2 issues...

1: Mail is getting bounced

I went back to the UK2 control panel to check mail settings and saw a message that I could not use mail unless the domain used UK2 nameservers.

I tried adding a DO MX record to point to UK2 mailserver but I didn't have the IP. So I tried the alternative, using the UK2 nameservers (as preferred/recommended by UK2).

From mail.log...

"lamp-1gb-lon1-zenlan postfix/local[19355]: E1704FFD35: to=info@zenlan.com, relay=local, delay=0.03, delays=0.02/0.01/0/0.01, dsn=5.1.1, status=bounced (unknown user: "info")"

... the user info@zenlan.com does exist and prior to adding the .com domain to the droplet, the .org was sending mail to that user successfully. The only thing I changed in main.cf was the hostname and myorigin (/etc/mailname) from .org to .com.

So, questions, should I definitely only use DO nameservers? If not, then any idea what is missing/faulty with regard to my DNS and/or postfix configuration?

2: SSL connections look fine but SSL tests fail. The .com gets an F rating from SSLLabs for the 'DROWN' vulnerability. The .org and .co.uk domains now fail with "Assessment failed: Unable to connect to the server".

I suspect that the .com issue might be that while I have used LetsEncrypt on the droplet, I have an existing Namecheap positivessl certificate for the domain www.zenlan.com and it is still installed on the old server. I can't see any way of deactivating it in the Namecheap control panel, it expires in 2years. I will be decommissioning the old server as soon as I get this one sorted out.

https://blog.qualys.com/securitylabs/2016/03/04/ssl-labs-drown-test-implementation-details

Am I right in thinking that I have to somehow deactivate the old certificate? Is it to do with having all 3 domains on DO using the same certificate? Or is there another issue here?

Clear advice will be much appreciated. I have read so many articles on these topics that I can't see the wood for the trees now! :)

Thanks for reading all that!

3 Answers

OK, fresh day and I found a post here that suggested I don't need any domain records here for my droplet and can simply point my UK2 A records at my DO floating IP. Have deleted the DO domain records to see what happens.

Solved the mail issue by removing $myhostname from mydestination in /etc/postfix/main.cf

from
mydestination = $myhostname, localhost.$mydomain, $mydomain

to
mydestination = localhost.$mydomain, $mydomain

The mydestination values are treated as local addresses by the mail server, therefore anything@zenlan.com was being bounced locally.

Suddenly the SSLLabs test is passing with an A rating.

Case solved then.

Have another answer? Share your knowledge.