How to secure mail server with Let's Encrypt certificate

Follow

Comments

4 comments

  • Avatar
    Stéphan Schamp

    Note that this does not reload nor restart Postfix or Dovecot.
    So the SSL certificates are not active after the extension tells you everything went ok.

  • Avatar
    Konstantin Annikov (Edited )

    Hello, 

    Postfix restart is not needed here, because Plesk just replaces the content of certificate file without changing Postfix configs. 

    Below you could find more technical details: 

    The certificate which is used for mail service before switching  had "kannikov.ru" subject:

    # openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
    Subject: CN=kannikov.ru

    Once I updated the certificate in Plesk UI: 

    CONFIG_TEXT: [2017-10-27 15:16:55] DEBUG [util_exec] [c64db062db3f494f8236170e248b9c2f-0] Starting: sslmng --services=postfix dovecot --certificate --cert=/usr/local/psa/var/certificates/certAUPd9WY, stdin:
    ...
    [2017-10-27 15:16:55] DEBUG [util_exec] [c64db062db3f494f8236170e248b9c2f-0] Starting: sslmng --services=postfix dovecot --certificate --cert=/usr/local/psa/var/certificates/certAUPd9WY, stdin:
    [2017-10-27 15:17:00] INFO [panel] The default certificate certificate was successfully set to secure the mail server.

    The certificate changed its subject to:

    # openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
    Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com

    And Postfix was not restarted as well as Dovecot. 
    I also checked that certificate was changed by connecting with Outlook. 

  • Avatar
    Stéphan Schamp

    Odd, I had this with a customer and he claimed that it always kept giving him the same cert.
    I should've verified this further myself.

     

    Used a test server:

    # ls -la /etc/postfix/postfix.pem
    ls: cannot access /etc/postfix/postfix.pem: No such file or directory

    # grep -i 'pem' /etc/postfix/main.cf
    smtpd_tls_cert_file = /etc/postfix/postfix_default.pem

    # ls -la /etc/postfix/postfix_default.pem
    -rw------- 1 root root 2888 Feb 22 2017 /etc/postfix/postfix_default.pem

    # openssl x509 -in /etc/postfix/postfix_default.pem -text -noout | grep -i subject | head -1
    Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com

    # openssl s_client -showcerts -connect 127.0.0.1:465 2>&1 | grep subject
    subject=/C=CH/L=Schaffhausen/O=Plesk/CN=Plesk/emailAddress=info@plesk.com




    I then configured the LE cert via Plesk -> Tools & Settings -> SSL Certificates


    # grep -i 'pem' /etc/postfix/main.cf
    smtpd_tls_cert_file = /etc/postfix/postfix.pem

    # openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
    Subject: CN=<redacted>

    # openssl s_client -showcerts -connect 127.0.0.1:465 2>&1 | grep subject
    subject=/CN=<redacted>



    So yes, this should just work as intended without a postfix reload or restart.
    However Postfix conf was changed, just slightly.

    smtpd_tls_cert_file = /etc/postfix/postfix_default.pem -> smtpd_tls_cert_file = /etc/postfix/postfix.pem



    Thanks for looking into this!

  • Avatar
    Konstantin Annikov

    @Stéphan

     

    I have manually modified the file in Postfix config: 

    # grep -i 'pem' /etc/postfix/main.cf
    smtpd_tls_cert_file = /etc/postfix/postfix_default.pem

    and restarted postfix to apply changes. openssl returned the same value for file and for host:

    # openssl x509 -in /etc/postfix/postfix_default.pem -text -noout | grep -i subject | head -1
    Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com
    # openssl s_client -connect 127.0.0.1:25 -starttls smtp 2>&1 | grep subj
    subject=/C=CH/L=Schaffhausen/O=Plesk/CN=Plesk/emailAddress=info@plesk.com

    Then I changed certificate from Plesk UI: 

    # less /var/log/plesk/panel.log
    [2017-10-27 13:44:15] INFO [panel] A new Let&#039;s Encrypt certificate has been generated for kannikov-adoring-easley.plesk.space.
    [2017-10-27 13:44:36] INFO [panel] The Lets Encrypt certificate certificate was successfully set to secure the mail server.

    And checked the certificate: 

    # grep -i 'pem' /etc/postfix/main.cf
    smtpd_tls_cert_file = /etc/postfix/postfix.pem

    # openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
    Subject: CN=kannikov-adoring-easley.plesk.space

    # openssl s_client -connect 127.0.0.1:25 -starttls smtp 2>&1 | grep subj
    subject=/CN=kannikov-adoring-easley.plesk.space

    As you can see, certificate file location has changed by Plesk and changes were applied in Postfix on the fly (Postfix did not restart as process run since 13:21, but certificate was reinstalled at 13:44): 

    # ps auxf |grep -v grep | grep postfix | grep master
    root 15757 0.0 0.9 65408 4648 ? Ss 13:21 0:00 /usr/lib/postfix/sbin/master

    Based on it, I can make a conclusion that restart is not needed for Postfix to apply changes in certificate file. 

    However if there is an issue regarding that on your server, feel free to create request to our support here: 

    https://support.plesk.com/hc/en-us/requests/new 

Please sign in to leave a comment.

Have more questions? Submit a request