DNS configuration for UK2 domains on DigitalOcean droplet
I have 3 domains registered with UK2.net. I want all of them to point to the same IP. zenlan.com, zenlan.org and zenlan.co.uk.
I used the .org domain while setting up my droplet. I setup a DO domain record using DO nameservers and configured postfix to use the UK2 smtp server. In the UK2 control panel I changed nameservers to those of DO and changed the IP of the A record to my DO floating IP.
All went well, DNS propagated, mail was sending (and arriving), it even got an A rating from SSLLabs.
After much testing I then added the .co.uk domain.
All was good so I decided to bite the bullet and transfer the final domain, the .com. I setup a DO domain as per the .org and .co.uk. I reconfigured postfix from .org to .com (main.cf and mailname) and updated the LetsEncrypt cert to include all 3 domains. The site appears mainly fine, for all domains and with SSL.
However, there are now 2 issues...
1: Mail is getting bounced
I went back to the UK2 control panel to check mail settings and saw a message that I could not use mail unless the domain used UK2 nameservers.
I tried adding a DO MX record to point to UK2 mailserver but I didn't have the IP. So I tried the alternative, using the UK2 nameservers (as preferred/recommended by UK2).
"lamp-1gb-lon1-zenlan postfix/local: E1704FFD35: firstname.lastname@example.org, relay=local, delay=0.03, delays=0.02/0.01/0/0.01, dsn=5.1.1, status=bounced (unknown user: "info")"
... the user email@example.com does exist and prior to adding the .com domain to the droplet, the .org was sending mail to that user successfully. The only thing I changed in main.cf was the hostname and myorigin (/etc/mailname) from .org to .com.
So, questions, should I definitely only use DO nameservers? If not, then any idea what is missing/faulty with regard to my DNS and/or postfix configuration?
2: SSL connections look fine but SSL tests fail. The .com gets an F rating from SSLLabs for the 'DROWN' vulnerability. The .org and .co.uk domains now fail with "Assessment failed: Unable to connect to the server".
I suspect that the .com issue might be that while I have used LetsEncrypt on the droplet, I have an existing Namecheap positivessl certificate for the domain www.zenlan.com and it is still installed on the old server. I can't see any way of deactivating it in the Namecheap control panel, it expires in 2years. I will be decommissioning the old server as soon as I get this one sorted out.
Am I right in thinking that I have to somehow deactivate the old certificate? Is it to do with having all 3 domains on DO using the same certificate? Or is there another issue here?
Clear advice will be much appreciated. I have read so many articles on these topics that I can't see the wood for the trees now! :)
Thanks for reading all that!