Certificate errors and more (AWS)

I have moved a domain to a sympl instance on aws. AWS only provide Debian 9.5 so I installed that, installed sympl as per the instructions then upgraded to buster as I needed a later version of PHP. All went well. I migrated a domain from bytemark, a symbiosis install and all looked good. However now all emails sent from this domain are marked as spam by gmail, spamassasin etc making life a little difficult. I also seem to be seeing some errors regarding certificates. Any thoughts appreciated. Here is the output from a dns error check.

Try https://www.mail-tester.com/ : send it an email and it will give you a comprehensive run-down on what it thinks is wrong.

Hi @phill104, AWS throttles port 25 on EC2 and Lightsail instances, Amazon came back to me (when we had to lift the port 25 throttle with the below info:

Remove Throttle on port 25 on EC2 form: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/

This will also help with the spam flagging issue, and you can request reverse DNS for your AWS instance IP’s using the same form (https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request) when you’re logged into your account.

If you don’t have a support plan with Amazon you may be asked to add one, the basic one (around $21/month) is sufficient.

I hope that helps!

– Chris

Thanks. I’ve run that but really not sure where to start fixing these particular issues. I have tried adding a A record for the one listed but that doesn’t seem to change anything. Also not sure how to fix the HELO error.

Adding a support plan would end up costing me more than I am currently paying bytemark for hosting so I would not want to go down that route.

It does seem like I need to request an rDNS record on the link you provided but I am really lost in this part on exactly what to request.

Okay, you have a number of problems, most/all of which should be fixable!

  1. You need a public hostname for the server, which rDNS pointing back to it. server.example.com is good if you don’t have a specific domain.
    1.1 Once you’ve done that, you’ll need to update the server to use that hostname for mail. Iff the top of my head, adding it to /etc/mailname (and replacing anything already there) should do the job for mail purposes.
  2. Enable DKIM - you’ll probably need to copy the key from /srv/example.com/config/dns/example.com.txt and add that to the DNS with the same ‘selector’
  3. Add a DMARC record. Theres a good online generator at mxtoolbox.com.

If you sort those out, it should significantly improve the score.

Thanks. I am working on those things. AWS seems to require a lot of promises and justification to allow you to have an rDNS record added.

Having suggested mail-tester.com I’ve just checked my own setup, and got
“You’re not fully authenticated”

If you saw my previous version of this message, please ignore.
In this case, “not fully authenticated” meant DKIM not set, and now I’ve set it, I’m getting 10/10.

Getting better on the score front. Still not fully authenticated but apparently it can take up to a week for AWS to correctly to the rDNS for me. What is quite interesting about their setup is they only lift email restrictions on a zone by zone basis. So as my server is in London, my restriction is still valid for parts of the world in other zones. They do not say how the zones are organised though.

I now have a score of 3.6 with DMARC and DKIM sorted. Just that pesky rDNS to fix.

Ah, it looks like the main remaining problem is the server hostname doesn’t match the DNS, which looks suspicious.

If you follow the (new) instructions at https://wiki.sympl.host/view/Changing_Your_Server_Hostname, then that should help. :crossed_fingers:

You’ll need to specify the new domain as the full domain though, which matches the rDNS, including the www..

Seems I have miss-understood those instructions. I already had a /srv/distinctlyaverage.co.uk tree. When I ran the instructions it rename the old server name directory to /srv/www.distinctlyaverage.co.uk so the site vanished. I then moved the contents of /htdocs to /srv/www.distinctlyaverage.co.uk and this bought back the site as expected but with no https. So I ran sudo sympl-ssl --verbose and that doesn’t fix the SSL issue. Seems I have caused a bit of a mess

@phill104 It looks like distinctlyaverage.co.uk is using a self-signed cert - if you remove /srv/distinctlyaverage.co.uk/config/ssl-provider and re-run sympl-ssl you should be good to go again.

I removed that and now the server cannot be found. The file was not in /srv/distinctlyaverage.co.uk but in /srv/www.distinctlyaverage.co.uk

I wonder if the duplicated names are causing the problem?

It’s partially the duplicated names and how Sympl assumes a www. subdomain for everything.

If you move /srv/www.distinctlyaverage.co.uk out of the way, and run sudo ln -s /srv/distinctlyaverage.co.uk /srv/www.distinctlyaverage.co.uk, it should fix most of it after a reboot.

Unfortunately, a lot of the Symbiosis code which Sympl inherited makes a lot of assumptions on how the hostname is set, primarily that it matches the non-stock way that it is done in the Bytemark images, which can lead to occasional problems in other areas.

Eventually, that will all get replaced and selecting a default domain/hostname/etc will be a lot simpler, but it’s some time off yet.

Many thanks for all your efforts. I really look forward to seeing this project develop once the strings of the old order have been cut. The DKIM is a false positive that I can live with, MX toolkit verifies it is OK.

Also many thanks to @Anahata and @swchris for the superb information and help given.

Hope you don’t mind, I have made a couple of minor edits to the doc wiki to hopefully help others. If the edits are wrong please feel free to kick me in the man globes.

Feel free! That’s what it’s there for!