Non-www domain returns x-x-x-x.ip.linodeuserconten.com certificate
Background: I have had my DNS and Let's Encrypt cert covering both the www and non-www working fine for months. It is valid for another 30+ days. On the server certbot certificate reports:
Certificate Name: classasignup.com
Serial Number: 4c470e5b912b8031a746cf548c11c603db4
Key Type: ECDSA
Domains: classasignup.com www.classasignup.com
Expiry Date: 2024-04-27 21:33:15+00:00 (VALID: 33 days)
About 10 days ago I was going to setup sendmail for my server and had Linode open the mail ports which they did. In the instructions I needed to setup a RDNS record which I did. For lots of reasons decided to not setup email server to go with an external mail service which required only a MX and some TXT DNS records.
Everything was working great, was on the classasignup.com site doing work all last week.
Issue: Today the problem was noticed by a client, the non-www classasignup.com returns a certificate for 96-126-107-249.ip.linodeusercontent.com and ssllabs.com reports a name mismatch and T rating. While www.classasignup.com returns the correct Lets Encrypt cert in both the browser and ssllabs.com with an A rating.
Reading docs and posts here RDNS seemed like a potential culprit so I cleared the entry and it is back to the default 96-126-107-249.ip.linodeusercontent.com (Confusing because the is the problem certificate yet that is how my other working linodes are setup)
The only other changes on the server related to the attempted email setup were to add a Full Qualified Domain Name host entry which I have also taken out as I read somewhere it can take precedence over DNS?
Sorry for the long post but trying to cover what I have done. Now with resetting back to what it was but still having the issue I am at a loss as to how to further diagnose this. Thanks of any direction or help!
1 Reply
jhartman
Linode Staff
Using the default rDNS/PTR value assigned by Linode (e.g. $IPADDRESS.ip.linodeusercontent.com) does not meet many mailing providers' requirements for sending mail and will, in many cases, result in your mail/IP address immediately becoming flagged as spam. Similarly, many providers require additional security measures to prevent spam and spoofing in the form of SPF, DKIM, and DMARC mailing records:
- How do I add an SPF record for my domain? (252) | Linode Questions
- How do I configure DKIM records? (238) | Linode Questions
- How do I get DMARC records for domain in linode (19374) | Linode Questions
These records should always be in-place and globally propagated before attempting to send mail - best case it merely bounces or does not send, worst case your IP will become blocklisted.
I'm not entirely sure I understand the active issue you've presented aside from a public SSL testing site providing a low mailing score. In general, most providers maintain their own private blocklists so publicly accessible ones may not provide the full overview of the underlying issue. We have however found that SpamHaus' blocklist is a reputable indication as far as public lists are concerned, but ultimately "clean IPs" may still be blocked a provider.
If your mail is being blocked by one of your client's mail providers, the full 550 bounce error message will have more insight into why the mail is not being delivered. Again, not having specifics DNS records (especially after removing an existing rDNS entry) could be the cause of deliverability issues. Additionally, many providers require mail sent from new sources to gradually "warm up". This means mail sent in-bulk from a new source can flag you as a spammer if you have not previously sent small amounts of mail over a few days/weeks time.
Otherwise, you are correct - entries added to /etc/hosts (IPs mapped to FQDN or custom entries) will take precedence over external DNS requests. That said, this is only for DNS resolve requests made by your Linode and should not have any bearing on how other servers determine your IP or verify SMTP records like SPF/rDNS. I would recommend comparing your setup against the specifications in our Mail Server guide to ensure everything has been setup properly: