openec2 Article Description

Part 3

Configure an SES/S3 Bucket for forwarding email

Open your domain name DNS records, wherever they are held and managed, so that you can add SES email records to them.

This is the domain name such as mydomain.com (your own however) which we will add to SES services.

If you do not wish to do so, e.g. your email already goes via MS Exchange, then ignore this. Irrespective, it is good to know how to do this.

You may not mix other email records at the same time with services such as MS Exchange, Amazon WorkMail, VentraIP email, Axigen and so forth.

From your SES console, check you are in your email region, such as Oregon for Australia.

Go to Configuration > Identities > “Create identity” (button) > Identity  type – Domain

See the diagram below for the entries we use in the form.

Once again, the following should be under your belt buckle as related to your website. Yes, it is a lot, but it becomes stock standard at some point.

Attend to SSL and DNS Records

Keep in mind, we are creating a website that requires an email component as part of the service. The website will need an SSL certificate.

This requires a DNS  CAA record. If the domain name registrar who holds your domain does not give you free access to editing CAA records, you should transfer to another registrar who does, such as Amazon Route53. The alternative is to see if the registrar has a paid DNS management option, which I never subscribe to paying.

Domain name transfers can be easy or complicated depending on who holds the registration. Normally, we access the domain records and unlock the domain so it can be transferred. Then we find the transfer key and copy it to an editor on our PC so we do not lose it. The key can go by various names, but it is a password in effect. Then we go to the provider who we want to transfer to, as they provide the free CAA record editing. We work out where they transfer a domain, and request the transfer using that key. The new provider should check the domain can be transferred due to it being unlocked and having the key. There should be no fee to transfer to an “ethical” registrar. You must have the original email address you used with the domain name on the current registrar, so they can send you an email to confirm the transfer. (This is tricky if you no longer have the email. The original provider may offer an internal mechanism to verify the transfer. I was once successful in transferring without the original email.)

Your registered email must be correct as now and then the authority that issues domain names may send you an email. If that email bounces, you could lose the domain. You never should respond to marketing emails not sent from the registrar that tell you the domain is about to expire.

Once verified, the transfer can be immediate, or a few days. There are various options when transferring. I usually ask to use the new provider’s NS Name Servers.  If you already have a website using the first provider, of course you have to backup the database and files first, and cut and paste helpful existing DNS records to your PC, such as records that point to MS Exchange.

When you have the EC2 Linux instance ready to hold the domain’s website, you would change the A record to point to the instance. If the domain DNS records are not on Amazon Route53, you would still edit the records to use the Amazon’s IP4 address in your A record.

If unsure about transfers, talk to the new registrar, and think about what you are doing before executing. You can lose a domain if it is not unlocked, you do not have the password, you don’t have the registered email address, or if there is any other setting by the original registrar required. Some mistakes can be corrected, but some registrars charge a wild west outlaws’ fee to help. The transfer should not involve any fee, so if it does I myself would not use them. However, there is likely a fee to update the domain’s registration for another 12 months.

Once transferred, you should add your intended CAA records. If using Let’s Encrypt, use “letsencrypt.org”. If Comodo store sells you the certificate, you would first have your admin@mydomain.com working before requesting the certificate, or use their DNS validation option and place that record into your DNS records. Creating a paid certificate – I use the cheapest Positive DV certificates – you need to now how to create a .csr and .key file. This is a separate lesson. However, Comodo would use a CAA record of sectigo.com and digicert.com. You must not add letsencrypt.org to the same domain name if using a paid SSL certificate. If using the free Let’s Encrypt, you must not use sectigo.com etc. However, a subdomain could use the free one, and your primary domain a paid one. You cannot register a Comodo certificate until the correct CAA record is saved. If so, you fix it, and may have to call their support desk to unlock it.

I use my free login to CleanTalk to create and download a .csr and .key file.

The form fields are easy to create. Here is an example of an old website I once had – none of these records exit today. Note, we just use “IT” as the organisation. The organisation name is usually your registered business name, or your ABN non-registered name, or failing that, just use your name.

 

Certificate covers:photosbyshaw.com.au, www.photosbyshaw.com.au
Common name:photosbyshaw.com.au
Email address:shawlw@iinet.net.au
Organization name:PHOTOSBYSHAW
Organization unit name:IT
Country name:AU
State or province:Queensland
Locality name:Brisbane

Once you have your paid certificate, in Linux2023 we store an edited version of the .crt file in /etc/pki/tls/certs and the .key file in /etc/pki/tls/private. If using Debian, we store these in /etc/ssl/certs and /etc/ssl/private.

Installing the free Let’s Encrypt is a separate lesson as it is fairly involved. Those keys will end up in /etc/letsencrypt/live/MYDOMAIN.COM/fullchain.pem and privkey.pem.

So, what is the edited .crt file from Comodo Store?

Comodo has a process to send you an email to admin@mydomain.com with a cryptographic-looking string you type into a URL link they take you to. You should have your CAA record in place first. Then they email you the .zip file with the certificate, or you can download it. I make a copy of the original .crt file, then edit the .crt file. I append to it the contents of SectigoRSADomainValidationSecureServerCA.crt, and append after that the contents of USERTrustRSAAAACA.crt. That is is. Then upload the .crt and the .key file you previously obtained to your Linux instance’s suitable directories. This order of appending is important. You can always use the same .csr and .key files when renewing certificates if you like. Comodo may ask if a new certificate is for use with Apache, which is fine even if using Nginx. A LiteSpeed package may come with what they call a bundled file. You just have to work out what contents to use. LiteSpeed is happy to append content. We never include what is called the root certificate. All this is about experience/learning.

When your website is up and running with https:// please check your certificate is correct with ssllabs.com for an A rating and no warnings about incorrect appending order that we made. We do not need to aspire to an A+ rating, but we can do that in the Nginx engine.

It is helpful to get these things done up front as much as possible before adding a website to an EC2 instance.

Your Static IP4 Address

Amazon AWS charges for use of a static IP4 address. Services using cPanel give a free shared address. Akamai/Linode at time of writing allocates a free static address. When allocating an address, go and check if it is blacklisted via mxtoolbox.com. On Akamia’s service I had to create a Linux “linode” nine times across two days before I got a good IP address. Victory! The static address is technically faster and has a better rating from various behind the scenes services. A shared address can be clobbered by another person with whatever they are doing, or become blacklisted. I feel serious business websites need the static address.

When you create the domain identity it waits for you to edit the DNS records with its values.

It is easy to make a typo. Amazon checks periodically and sends you an email when the mail from and dmarc records are recognised. You cannot test emails until thee are validated in the SES Identities panel.

Your records will need to have the following, which includes security… (I usually put 3600 as the time interval)

You should already have the CNAME records, www.mydomain.com pointing to domain.com (rather than an ip address).

Three CNAME records, similar to this format:

bczgazcmj366zhkcxxxxxxxxxxxxxxx._domainkey.mydomain.com CAA bczgazcmj366zhkcxxxxxxxxxxxxxxx.dkim.amazonses.com. 3600

mail.mydomain.com MX feedback-smtp.us-west-2.amazonses.com. 3600 10 <– this is the priority, in this case 10.
mail.mydomain.com TXT v=spf1 include:amazonses.com ~all

Note: Amazon Route53 often places values in double quotes. Usually we do not type in a full stop after other provider’s entries either.

mydomain.com MX inbound-smtp.us-west-2.amazonaws.com. 3600 10 <– Note these are with Oregon. Change if needed. Amazon provides a formal list of all its region names.

You cannot include other provider MX records with the same domain name, even if the priority of the one you want is higher, 0 being the highest. We usually use 10, and secondary MX servers 10, 30, and so on.

*._report._dmarc.mydomain.com TXT v=DMARC1
_dmarc.mydomain.com TXT v=DMARC1;p=quarantine;pct=25;rua=mailto:dmarc@mydomain.com

Dmarc records can be handled so they don’t go to your inbox.

MS Exchange would, as an example, give you different records.

 

Here is an example of the DNS records:


Your domain name is now validated in SES – congratulations

When the domain identity is verified, rather than pending, and we have previously set up our email bucket, we can move on to adding an email address identity and creating an SES receiving rule to place it into the bucket.

While this is a lot of work, it becomes okay in the long-run, and validates that you have spent the time to do it and know how to provide a basic service that others would not know how to do. While an entry level cPanel small business site can cost upwards of say, $170 a year or much higher, and while there is more admin work to maintain Amazon AWS, you are leveraging enterprise/government quality systems. A cPanel service can go under strain with ups and downs depending on what the shared users are doing.  We also control the security very tightly in Amazon. What you will notice is that shell scripting varies depending on use of Linxux2023 or Debian 11. I do not use Debian 12 at this time even though I have configured it. It is a little different. If using Axigen as an email service on Debian, you are game to own your own service, you have to use Debian 11 X86 (not ARM) and a t3a.micro instance with GP3 disk. Otherwise, we can use Debian (ARM) or Linux 2023 on t4g.micro and GP3. You only use larger instances if using multi-sites, or have a serious business with over 100 visitors a day – you can check the EC2 console for any CPU overload.