Config reverse DNS PTR on cpanel with AWS EC2 - amazon-ec2

Anybody here has experience with configuration SMTP on Cpanel host by AWS EC2.
After I have done configurations, DKIM is valid, SPF is valid, but PTR is not valid (reverse DNS). Then when I sent a test email to mail-tester.com, it was 3/10. Here is the error message
We didn't find a server (A Record) behind your hostname ip-172-31-1-135.ap-southeast-1.compute.internal.
You may want to publish a DNS record (A type) for the hostname
ip-172-31-1-135.ap-southeast-1.compute.internal or use a different hostname in your mail software.
I'm a newbie for DNS stuff, if you need more information, please give me a comment.

You should configure your mail server software to use your custom hostname (for example mail.example.com), not the AWS assigned default (such as ip-172-31-1-135.ap-southeast-1.compute.internal)
You need to contact AWS support to have PTR record configured https://aws.amazon.com/blogs/aws/reverse-dns-for-ec2s-elastic-ip-addresses/
Keep in mind that Amazon EC2 throttles traffic on port 25 of all EC2 instances by default, but you can request for this throttle to be removed: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/

If you want to receive emails on this server you can't change port number from 25 to something else as other servers will try to connect on this port to deliver emails. You also have to ask AWS to remove throttle on port 25 as stated before.
If you haven't already, create A DNS record for cpanel.mydomain.com pointing to your elastic IP (it is important that you have elastic IP not automatically assigned public IP)

Finally, I got 9.8/10 after tweaking some configuration and waiting for AWS Support to map Elastic IP to my domain name, then I can get 10/10
Most importantly, have to make sure hostname has to your my domain
1. set hostname
sudo hostname cpanel.mydomain.com
Set it automatically
cd /etc/dhcp/dhclient-exit-hooks.d/
sudo nano set-hostname.sh
file set-hostname.sh
#!/bin/sh
hostname cpanel.mydomain.com
/scripts/fixetchosts
For more detail, please free to reference here

Related

In AWS, how do I configure SSM for an instance joined to an AWS AD Domain in a Private Subnet?

I am trying to set up SSM on Windows.
I have an ASG in a private subnet (absolutely 0 internet access). I can not use NAT, only VPC endpoints.
In the instance launch configuration, I have a PowerShell script that uses Set-DnsClientServerAddress so that the instance can find and join an AWS Managed MS AD service. I would also like to set up the instance so it can be fully managed with SSM.
The problem comes with the DNS Client Server Address.
When I set it to match the address of the AD service SSM will not work.
When I leave the DNS Client Server Address default, SSM works but I can not join the AD.
I tried forcing the SSM Agent to use the endpoints by creating a amazon-ssm-agent.json file and setting all three endpoints in there. This allowed the instance to show on the Managed Instance list, but its status never changed from pending and requests from within the instance still timed out.
Does anyone know the magic sauce to get these things all working at the same time?
EDIT 1:
I also tried adding a forward as described in this thread, however I'm either missing somethign or it is not working for my case:
https://forums.aws.amazon.com/thread.jspa?messageID=919331&#919331
It turns out that adding the forwarder as described in the link above worked. The part I was missing was joedaws comment, "I would also remove the existing 169.254.169.253 entry so that only the 10.201.0.2 ip address is in the list".
Of course, my IPs are different, but once I removed the preexisting forward so that my x.x.x.2 IP was the only one in the list (I did this for both of the AD DNS servers) the instance was discoverable by SSM.
So, I would make a minor change to the list that saugy wrote:
On a domain joined windows instance, log in with AD domain Admin user
Open DNS manager
Connect to one of the DNS IP addresses for the AWS AD
Select forwarders
Add the VPC's DNS IP (x.x.x.2 from you VPC's CIDR range)
Remove the existing IP (so you VPCs IP is the only one)
Click Apply
Repeat from step 3 with the other DNS IP address for the AWS AD (not 1
Also, as mentioned in the other post. This only has to be done once and the settings persist in the AD DNS.

Pointing multiple IP address from different hosts to a same domain name with different port

I tried creating an Amazon EC2 instance with an elastic IP address. In there I deployed a MEAN app by Bitnami.
On the other hand we have a CPanel (not deployed in amazon, I think it's Apache, not sure, I'm not the one who deployed it)
Cpanel is already pointing to www.example.com so we can access cpanel via www.example.com:2082 but the default www.example.com:80 is blank/empty. We are using Cpanel for our mailing server.
What I need to do is to point Amazon EC2 public IP and DNS to www.example.com:80. Can I set it up in Cpanel DNS Zone Editor? or do I need to set up Amazon Route 53? what do I need?
If I create a new A record in Cpanel DNS Zone editor for Amazon I lose access to Cpanel www.example.com:2082. I'm really confuse right now. Please Help.
You need to introduce a Proxy server in between to do this, As in DNS you can't set the ports, for each type of requests ports are already defined.
You can add nginx or haproxy or any other reverse proxy server, which will accept all the requests and passes on the request to appropriate hosts on appropriate ports.
I know it's a bit late but just in case you still need it or someone comes across this:
No need for a proxy.
You point the A record for example.com to EC2 IP.
CNAME for WWW to example.com
Then you should have an A record for mail.example.com for your cPanel IP
Your MX records should point to mail.example.com and not to example.com.
And you can access cPanel at mail.example.com:2082 or whatever the server's IP or main hostname is. The main hostname has the advantage that you can use port 2083 for SSL cPanel connections
Just make sure the e-mail clients use mail.example.com and not example.com as the connecting mail server.

Amazon EC2 and getting a response from my IP address without using the Amazon public DNS

I have tried everything, I can get to my application using the ec2-x-x-x-x.compute-1.amazonaws.com, I cannot ping the address.
However, when I do ping the amazon DNS, it identifies with the IP address of but does not respond to ping.
When I put the IP address in the browser, it times out and gives me the Chrome "Oops", I have went through the Security vgroup several times.
I have checked the server, including the IPtables and the ports that Apache is listening to.
I don't have a lot of knowledge in this area, But I tried everything in the forum and more.
I even created another Elastic IP and associated it with the instance.
Please help.
By default, you cannot ping an EC2 instance, since it is blocked by the firewall (see why can't I ping my instance):
Ping uses ICMP ECHO, which by default is blocked by your firewall.
You'll need to grant ICMP access to your instances by updating the
firewall restrictions that are tied to your security group.
ec2-authorize default -P icmp -t -1:-1 -s 0.0.0.0/0
Check out the latest developer guide for details.
Section: Instance Addressing and Network Security -> Network Security
-> Examples
As for HTTP requests - your instance is available and looks fine (I suggest you remove the real DNS name from your post though)...
For ec2 best options is
1) open port 5060 and 10000-20000 udp on firewall(security group)
2) order and attach elastic IP.
3) in sip.conf add
externhost=elastic_ip_her
localnet=10.0.0.0/255.0.0.0
Every time you start/stop that instance attach same elastic IP.
For web access you also need open port 80 in security group

amazon ec2 - name server issue

i have created new instance in amazon ec2, and assigned the elastic ip for instance. But i need to know how to get ip for name server (ns1.abc.com, ns2,abc.com).
I have installed whm in amazon instance. Only domain cannot point to the correct name server. That is because ip cannot load.
Now, my problem is that how i get new ip. Can i add another two elastic ip in amazon? But i configured two elastic ip for name server in dns zone within whm. The name server is not working. And i cannot open the elastic ip in browser. I am confuse for it. Please anyone help me.
There are lots of things that can go wrong here. I'll try to troubleshoot step by-step:
I'll assume the goal is "You want to type 'whm.foo.com' and see your WHM"
1) Go to your domain registrar and make an entry that points "whm.foo.com" to your EIP. (Depending on what you want, maybe you should setup a "*.foo.com" wildcard for that EIP.
2) Test that step #1 worked by typing "ping whm.foo.com" or "dig whm.foo.com" (one linux/mac, not sure about Windows). This should return your EIP. If not, go back to step 1.
3) Check that WMH is acually running. Read the docs to find what port it's running on. (Usually 2083, or 2082 for insecure access)
On your instance, run "curl -v localhost:2083" (or whatever port. It should return a login screen. If it says "couldn't connect to host", then you have the wrong port or it's not running.
4) run "netstat -na | grep :2083" (or whatever port). It should say "0.0.0.0:*". If it says "127.0.0.1:*", then you need to configure it to allow outside access.
5) Make sure your WHM port is enabled in the AWS firewall. Go to the AWS control panel and find the security group for your box. Make sure that port is allowed. Ideally, you'd only add your personal IP instead of opening it up to the world. (If there is a bug in WHM, people will scan all IPs trying to exploit it. They can't exploit your server if the AWS firewall denies them access.)
6) Now type "https://whm.foo.com:2083" (or whatever port) in your browser. (or http://whm.foo.com:2082 for insecure access). It should work!
i need to know how to get ip for name server (ns1.abc.com, ns2,abc.com).
As rdrey said, you need to go to your DNS provider (most registrars also do DNS) and tell them what boxes should point to your EIP.
That is because ip cannot load.
There is no such thing as "ip cannot load". Either "DNS is giving the wrong IP" or "some IP operations (TCP ports) were blocked by a firewall somewhere".
Now, my problem is that how i get new ip
I don't think that should be your goal. You can easily change EIPs, but it won't fix the problem. Nothing works unless everything in between is set up correctly. The goal should be understanding all the steps in the process and verifying that each step was done correctly.
OK, you have two options here:
Use the DNS servers provided by your Domain Registrar OR
Use AWS Route53 to let Amazon provide DNS services for you.
Option 1:
You bought your domain name from a registrar, like one of these: http://lifehacker.com/5683682/five-best-domain-name-registrars
Most, if not all, registrars run a free DNS service for their customers. You should be able to log into some kind of management console and set your domain's DNS zone entries to point at your AWS EIP. (I am using gandi.net and used to use godaddy. You simply leave the DNS Servers as they are and set your AWS EIP as the 'A' record.)
Option 2:
Go to https://console.aws.amazon.com/route53/home and follow instructions. I haven't read up on Route53's pricing, so this option might not be free.
---- EDIT:
Some more help:
The site you've linked to (http://www.intodns.com/xantec.com.sg) states that you've used your EIP (54.251.169.7) as the nameserver for the domain. You don't want that. You're running a cPanel installation, NOT a DNS nameserver.
Put 54.251.169.7 as your site's A record. (Sometimes called the www field.) Remove it from the NS fields and put ns3.thesimpledns.com & ns4.thesimpledns.com into those.

SPF record for amazon ec2

From where do I get the correct syntax to create a proper SPF record for EC2 amazon server? I understand how to create a dns entry but I have no idea what to put in place for the SPF record.
This is very easy to do:
Provision an Elastic IP for your server
Setup an "A" record for the server which will be sending mail with your favorite registrar- a good practice to follow is to include "svr" somewhere in the hostname, as in, app-svr-01.youdomain.com
Click here to contact amazon and ask for a reverse dns record for the IP
add the following somewhere in your SPF record and you should be good to go:
a:app-svr-01.youdomain.com
Note: if you need to relay mail through this server from your other AWS servers, or communicate between servers in any other way, you shoukd not use this new FQDN, but rather the AWS FQDN from the AWS console (it will look like ec2-xxx-xxx-xx-xx.compute-1.amazonaws.com).
Using your custom domain name will route through the "WAN" and incur bandwidth charges.
You can use the Amazon Simple Email Service (SES). If you only use this service (and not directly), then your SPF can be as simple as described in the FAQ:
http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/SPF.html
maybe changing it to a definite fail on mismatch:
v=spf1 include:amazonses.com -all
Creating an SPF record for an EC2 instance is a waste of time. Every major ISP and blacklist will blackhole mail from an EC2 IP no matter what you do. Since anyone can spin up an instance, get a new IP, send spam and disappear, nobody trusts their mail.
Use an external mail server, like SendGrid.

Resources