How to secure mail server with Let's Encrypt certificate?

Follow

Comments

16 comments

  • Avatar
    Stéphan Schamp

    Note that this does not reload nor restart Postfix or Dovecot.
    So the SSL certificates are not active after the extension tells you everything went ok.

  • Avatar
    Konstantin Annikov (Edited )

    Hello, 

    Postfix restart is not needed here, because Plesk just replaces the content of certificate file without changing Postfix configs. 

    Below you could find more technical details: 

    The certificate which is used for mail service before switching  had "kannikov.ru" subject:

    # openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
    Subject: CN=kannikov.ru

    Once I updated the certificate in Plesk UI: 

    CONFIG_TEXT: [2017-10-27 15:16:55] DEBUG [util_exec] [c64db062db3f494f8236170e248b9c2f-0] Starting: sslmng --services=postfix dovecot --certificate --cert=/usr/local/psa/var/certificates/certAUPd9WY, stdin:
    ...
    [2017-10-27 15:16:55] DEBUG [util_exec] [c64db062db3f494f8236170e248b9c2f-0] Starting: sslmng --services=postfix dovecot --certificate --cert=/usr/local/psa/var/certificates/certAUPd9WY, stdin:
    [2017-10-27 15:17:00] INFO [panel] The default certificate certificate was successfully set to secure the mail server.

    The certificate changed its subject to:

    # openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
    Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=[email protected]

    And Postfix was not restarted as well as Dovecot. 
    I also checked that certificate was changed by connecting with Outlook. 

  • Avatar
    Stéphan Schamp

    Odd, I had this with a customer and he claimed that it always kept giving him the same cert.
    I should've verified this further myself.

     

    Used a test server:

    # ls -la /etc/postfix/postfix.pem
    ls: cannot access /etc/postfix/postfix.pem: No such file or directory

    # grep -i 'pem' /etc/postfix/main.cf
    smtpd_tls_cert_file = /etc/postfix/postfix_default.pem

    # ls -la /etc/postfix/postfix_default.pem
    -rw------- 1 root root 2888 Feb 22 2017 /etc/postfix/postfix_default.pem

    # openssl x509 -in /etc/postfix/postfix_default.pem -text -noout | grep -i subject | head -1
    Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=[email protected]

    # openssl s_client -showcerts -connect 127.0.0.1:465 2>&1 | grep subject
    subject=/C=CH/L=Schaffhausen/O=Plesk/CN=Plesk/emailAddress=[email protected]




    I then configured the LE cert via Plesk -> Tools & Settings -> SSL Certificates


    # grep -i 'pem' /etc/postfix/main.cf
    smtpd_tls_cert_file = /etc/postfix/postfix.pem

    # openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
    Subject: CN=<redacted>

    # openssl s_client -showcerts -connect 127.0.0.1:465 2>&1 | grep subject
    subject=/CN=<redacted>



    So yes, this should just work as intended without a postfix reload or restart.
    However Postfix conf was changed, just slightly.

    smtpd_tls_cert_file = /etc/postfix/postfix_default.pem -> smtpd_tls_cert_file = /etc/postfix/postfix.pem



    Thanks for looking into this!

  • Avatar
    Konstantin Annikov

    @Stéphan

     

    I have manually modified the file in Postfix config: 

    # grep -i 'pem' /etc/postfix/main.cf
    smtpd_tls_cert_file = /etc/postfix/postfix_default.pem

    and restarted postfix to apply changes. openssl returned the same value for file and for host:

    # openssl x509 -in /etc/postfix/postfix_default.pem -text -noout | grep -i subject | head -1
    Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=[email protected]
    # openssl s_client -connect 127.0.0.1:25 -starttls smtp 2>&1 | grep subj
    subject=/C=CH/L=Schaffhausen/O=Plesk/CN=Plesk/emailAddress=[email protected]

    Then I changed certificate from Plesk UI: 

    # less /var/log/plesk/panel.log
    [2017-10-27 13:44:15] INFO [panel] A new Let&#039;s Encrypt certificate has been generated for kannikov-adoring-easley.plesk.space.
    [2017-10-27 13:44:36] INFO [panel] The Lets Encrypt certificate certificate was successfully set to secure the mail server.

    And checked the certificate: 

    # grep -i 'pem' /etc/postfix/main.cf
    smtpd_tls_cert_file = /etc/postfix/postfix.pem

    # openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
    Subject: CN=kannikov-adoring-easley.plesk.space

    # openssl s_client -connect 127.0.0.1:25 -starttls smtp 2>&1 | grep subj
    subject=/CN=kannikov-adoring-easley.plesk.space

    As you can see, certificate file location has changed by Plesk and changes were applied in Postfix on the fly (Postfix did not restart as process run since 13:21, but certificate was reinstalled at 13:44): 

    # ps auxf |grep -v grep | grep postfix | grep master
    root 15757 0.0 0.9 65408 4648 ? Ss 13:21 0:00 /usr/lib/postfix/sbin/master

    Based on it, I can make a conclusion that restart is not needed for Postfix to apply changes in certificate file. 

    However if there is an issue regarding that on your server, feel free to create request to our support here: 

    https://support.plesk.com/hc/en-us/requests/new 

  • Avatar
    Marco Marsala

    I applied this article, but after that, all mail clients I tried, issued a security warning: I tried many times and I'm always experiencing this issue.

  • Avatar
    Ivan Postnikov

    @Marco Marsala

    Hello!
    Could you share more details about which warning is shown?

  • Avatar
    Jeffrey Zeunert

    I get a mismatch error when testing mail.domain.tld. Seems the test shows the certificate for "www" not mail.

    On Plesk Certificates page it says: certificate for securing mail says "Let's Encrypt certificate from server pool". 

    The error from SSL check says:

    None of the common names in the certificate match the name that was entered 

  • Avatar
    John Aquilio (Edited )

    I followed the instructions given in the post by Dinara Aspembitova above.

    I generated one certificate for myOrg.com. Used that certificate for securing three things: (a) the site myOrg.com, (b) Plesk as indicated in your instructions, (c) mail as in your instructions.

    Now, to test everything is OK, I went to https://www.checktls.com and ran the test for "myOrg.com". While everything else was OK, I got the following message:

    Cert Hostname DOES NOT VERIFY (mail.myOrg.com != myOrg.com | DNS:myOrg.com | DNS:www.myOrg.com)

    So email is encrypted but the host is not verified

    What should I do to fix this?

    P.S. My mail server is mail.myOrg.com.

         
  • Avatar
    Ivan Postnikov

    Hello @Josh,

    The cause of this warning is that domain name in the certificate is myOrg.com but mail server has domain name mail.myOrg.com.

    It is required to generate certificate for domain name mail.myOrg.com and apply it for mail server.

    The article will be updated with the additional info.

  • Avatar
    Marco Marsala (Edited )

    @John, @Ivan, what if customers configured mail clients to use mail.domainname.tld? A typical shared hosting server may host up to a thousand of domains, it is practically infeasible to instruct all users to adjust configuration of their mail clients.

    It should at least generate mail server certificates for: mail.domainname.tld (for every server domain), domain.tld, servername.tld, mail.servername.tld.

    Please take into account that almost all modern mail clients provide a wizard configurator, asking just e-mail address and password, then they try to automatically discover IMAP/SMTP server names; they perform that, trying mail.domainname.tld. They fails if mail. subdomain is not properly secured.

    Currently, Microsoft Outlook for PC and mobile refuses to connect to unsecured mail servers.

  • Avatar
    John Aquilio (Edited )

    Hello @Ivan,

    So, is it possible to generate a Letsencrypt certificate for mail.myOrg.com? I couldn't find a way to do that. The certificate I was able to generate was for myOrg.com.

    Basically, I am trying to figure out how to secure my mailserver at mail.myOrg.com now that, as you confirmed, I can't use the same certificate as the one generated for myOrg.com.

    P.S. I am using Plesk on a Windows server.

  • Avatar
    Ivan Postnikov

    Hello @Marco, 

    Thank you for being interested in the new functionality of Plesk.

    This limitation is caused by Postfix not supporting SNI.

    Plesk development team is looking for ways to improve it.

  • Avatar
    Ivan Postnikov

    Hello @Josh,

    Let me give you more precise answer.

    The article was updated with the following notice:

    When connecting to the mail server, make sure to use the domain name in the certificate issued during securing Plesk mail server.
    Advise your customers to do the same. Otherwise, the mail client software may be unable to verify the mail server identity, which may cause issues when sending or receiving mail, like this one.

    As a workaround, you may create the subdomain mail.myOrg.com and issue a certificate for it. And after that assign the certificate to mail server.

    In case you have many domains on the server, to avoid errors, mail clients should use the domain name from mail server certificate while setting mail clients. 

     

  • Avatar
    Marco Marsala

    @Ivan, IMAP/POP3 connectivity is provided by Dovecot, not Postfix. Dovecot supports SNI.

  • Avatar
    Ivan Postnikov

    @Marco, yes, you are absolutely correct.

    As I have previously mentioned, Plesk Development Team is aware that such feature is highly required.

    Expect it being added in future Plesk updates.

Please sign in to leave a comment.

Have more questions? Submit a request