Question

DNS configuration for UK2 domains on DigitalOcean droplet

I have 3 domains registered with UK2.net. I want all of them to point to the same IP. zenlan.com, zenlan.org and zenlan.co.uk.

I used the .org domain while setting up my droplet. I setup a DO domain record using DO nameservers and configured postfix to use the UK2 smtp server. In the UK2 control panel I changed nameservers to those of DO and changed the IP of the A record to my DO floating IP.

All went well, DNS propagated, mail was sending (and arriving), it even got an A rating from SSLLabs.

After much testing I then added the .co.uk domain.

All was good so I decided to bite the bullet and transfer the final domain, the .com. I setup a DO domain as per the .org and .co.uk. I reconfigured postfix from .org to .com (main.cf and mailname) and updated the LetsEncrypt cert to include all 3 domains. The site appears mainly fine, for all domains and with SSL.

However, there are now 2 issues…

1: Mail is getting bounced

I went back to the UK2 control panel to check mail settings and saw a message that I could not use mail unless the domain used UK2 nameservers.

I tried adding a DO MX record to point to UK2 mailserver but I didn’t have the IP. So I tried the alternative, using the UK2 nameservers (as preferred/recommended by UK2).

From mail.log…

“lamp-1gb-lon1-zenlan postfix/local[19355]: E1704FFD35: to=info@zenlan.com, relay=local, delay=0.03, delays=0.02/0.01/0/0.01, dsn=5.1.1, status=bounced (unknown user: “info”)”

… the user info@zenlan.com does exist and prior to adding the .com domain to the droplet, the .org was sending mail to that user successfully. The only thing I changed in main.cf was the hostname and myorigin (/etc/mailname) from .org to .com.

So, questions, should I definitely only use DO nameservers? If not, then any idea what is missing/faulty with regard to my DNS and/or postfix configuration?

2: SSL connections look fine but SSL tests fail. The .com gets an F rating from SSLLabs for the ‘DROWN’ vulnerability. The .org and .co.uk domains now fail with “Assessment failed: Unable to connect to the server”.

I suspect that the .com issue might be that while I have used LetsEncrypt on the droplet, I have an existing Namecheap positivessl certificate for the domain www.zenlan.com and it is still installed on the old server. I can’t see any way of deactivating it in the Namecheap control panel, it expires in 2years. I will be decommissioning the old server as soon as I get this one sorted out.

https://blog.qualys.com/securitylabs/2016/03/04/ssl-labs-drown-test-implementation-details

Am I right in thinking that I have to somehow deactivate the old certificate? Is it to do with having all 3 domains on DO using the same certificate? Or is there another issue here?

Clear advice will be much appreciated. I have read so many articles on these topics that I can’t see the wood for the trees now! :)

Thanks for reading all that!


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Suddenly the SSLLabs test is passing with an A rating.

Case solved then.

Solved the mail issue by removing $myhostname from mydestination in /etc/postfix/main.cf

from mydestination = $myhostname, localhost.$mydomain, $mydomain

to mydestination = localhost.$mydomain, $mydomain

The mydestination values are treated as local addresses by the mail server, therefore anything@zenlan.com was being bounced locally.

OK, fresh day and I found a post here that suggested I don’t need any domain records here for my droplet and can simply point my UK2 A records at my DO floating IP. Have deleted the DO domain records to see what happens.