Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to secure a Plesk mail server with an SSL certificate from Let's Encrypt or other certificate authorities?
Answer
Note: After configuring an SSL certificate for a Plesk mail server, use the domain name from this SSL certificate, when connecting to the Plesk mail server. Advise your customers to do the same. For details, see this KB article.
Alternatively, secure mail server with an SSL certificate for each domain separately.
-
Once installed, go to Tools & Settings > SSL/TLS Certificates (under Security).
-
Click Let's Encrypt.
Note: If the Let's Encrypt extension is not installed, install it from Plesk Extensions catalog.
-
Make sure the Domain name and Email address fields contain a valid information:
-
Domain name will be used as an incoming and outgoing mail server when setting up an email account in a mail client. This domain must point to your Plesk server.
-
Email address will be used to receive important notifications and warnings.
-
-
Click Install. At this stage, an SSL certificate from Let’s Encrypt is generated and set to secure Plesk on port 8443 automatically. This certificate will be auto-renewed every 90 days.
-
Now, to secure a Plesk mail server, click [Change] next to Certificate for securing mail.
-
In the drop-down list, select Lets Encrypt certificate (server pool) and click OK. Here is the final look:
-
Go to Tools & Settings and click SSL/TLS Certificates.
-
On the SSL/TLS Certificates page, add your certificate:
Warning: Make sure to include the CA certificate in the certificate chain to avoid errors when connecting with the mail clients.
Note: If you are experiencing issues with a certificate installation, contact your certificate seller and ask for instruction for Plesk.
-
If an SSL certificate is stored in a single
*.crtfile:Click Browse... to select a certificate file. Then click Upload Certificate.
-
If an SSL certificate is stored in the form of
*.keyand*.crtfiles:Click Add under List of certificates in server pool and scroll down to the Upload the certificate files section and upload these files. If both the certificate and the private key parts of your certificate are contained in a
*.pemfile (you can check it by opening the*.pemfile in any text editor), just upload it twice, both as the private key and the certificate. Click Upload Certificate once finished.
-
If an SSL certificate is stored as a text:
Click Add under List of certificates in server pool and scroll down to the Upload the certificate as text section. There, paste the certificate and the private key parts into the corresponding fields. Click Upload Certificate when you have finished.
-
-
Click [Change] next to Certificate for securing mail > select an uploaded certificate > click OK. Now mail server is secured with an SSL certificate.
Comments
31 comments
Note that this does not reload nor restart Postfix or Dovecot.
So the SSL certificates are not active after the extension tells you everything went ok.
Hello,
Postfix restart is not needed here, because Plesk just replaces the content of certificate file without changing Postfix configs.
Below you could find more technical details:
The certificate which is used for mail service before switching had "kannikov.ru" subject:
# openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
Subject: CN=kannikov.ru
Once I updated the certificate in Plesk UI:
CONFIG_TEXT: [2017-10-27 15:16:55] DEBUG [util_exec] [c64db062db3f494f8236170e248b9c2f-0] Starting: sslmng --services=postfix dovecot --certificate --cert=/usr/local/psa/var/certificates/certAUPd9WY, stdin:
...
[2017-10-27 15:16:55] DEBUG [util_exec] [c64db062db3f494f8236170e248b9c2f-0] Starting: sslmng --services=postfix dovecot --certificate --cert=/usr/local/psa/var/certificates/certAUPd9WY, stdin:
[2017-10-27 15:17:00] INFO [panel] The default certificate certificate was successfully set to secure the mail server.
The certificate changed its subject to:
# openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com
And Postfix was not restarted as well as Dovecot.
I also checked that certificate was changed by connecting with Outlook.
Odd, I had this with a customer and he claimed that it always kept giving him the same cert.
I should've verified this further myself.
Used a test server:
# ls -la /etc/postfix/postfix.pem
ls: cannot access /etc/postfix/postfix.pem: No such file or directory
# grep -i 'pem' /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
# ls -la /etc/postfix/postfix_default.pem
-rw------- 1 root root 2888 Feb 22 2017 /etc/postfix/postfix_default.pem
# openssl x509 -in /etc/postfix/postfix_default.pem -text -noout | grep -i subject | head -1
Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com
# openssl s_client -showcerts -connect 127.0.0.1:465 2>&1 | grep subject
subject=/C=CH/L=Schaffhausen/O=Plesk/CN=Plesk/emailAddress=info@plesk.com
I then configured the LE cert via Plesk -> Tools & Settings -> SSL Certificates
# grep -i 'pem' /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/postfix/postfix.pem
# openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
Subject: CN=<redacted>
# openssl s_client -showcerts -connect 127.0.0.1:465 2>&1 | grep subject
subject=/CN=<redacted>
So yes, this should just work as intended without a postfix reload or restart.
However Postfix conf was changed, just slightly.
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem -> smtpd_tls_cert_file = /etc/postfix/postfix.pem
Thanks for looking into this!
@Stéphan
I have manually modified the file in Postfix config:
# grep -i 'pem' /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
and restarted postfix to apply changes. openssl returned the same value for file and for host:
# openssl x509 -in /etc/postfix/postfix_default.pem -text -noout | grep -i subject | head -1
Subject: C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com
# openssl s_client -connect 127.0.0.1:25 -starttls smtp 2>&1 | grep subj
subject=/C=CH/L=Schaffhausen/O=Plesk/CN=Plesk/emailAddress=info@plesk.com
Then I changed certificate from Plesk UI:
# less /var/log/plesk/panel.log
[2017-10-27 13:44:15] INFO [panel] A new Let's Encrypt certificate has been generated for kannikov-adoring-easley.plesk.space.
[2017-10-27 13:44:36] INFO [panel] The Lets Encrypt certificate certificate was successfully set to secure the mail server.
And checked the certificate:
# grep -i 'pem' /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/postfix/postfix.pem
# openssl x509 -in /etc/postfix/postfix.pem -text -noout | grep -i subject | head -1
Subject: CN=kannikov-adoring-easley.plesk.space
# openssl s_client -connect 127.0.0.1:25 -starttls smtp 2>&1 | grep subj
subject=/CN=kannikov-adoring-easley.plesk.space
As you can see, certificate file location has changed by Plesk and changes were applied in Postfix on the fly (Postfix did not restart as process run since 13:21, but certificate was reinstalled at 13:44):
# ps auxf |grep -v grep | grep postfix | grep master
root 15757 0.0 0.9 65408 4648 ? Ss 13:21 0:00 /usr/lib/postfix/sbin/master
Based on it, I can make a conclusion that restart is not needed for Postfix to apply changes in certificate file.
However if there is an issue regarding that on your server, feel free to create request to our support here:
https://support.plesk.com/hc/en-us/requests/new
I applied this article, but after that, all mail clients I tried, issued a security warning: I tried many times and I'm always experiencing this issue.
@Marco Marsala
Hello!
Could you share more details about which warning is shown?
I get a mismatch error when testing mail.domain.tld. Seems the test shows the certificate for "www" not mail.
On Plesk Certificates page it says: certificate for securing mail says "Let's Encrypt certificate from server pool".
The error from SSL check says:
None of the common names in the certificate match the name that was entered
@Jeffrey Zeunert
I think that the mail.domain.tld you are using to connect to the server is different from the domain name for which the certificate was issued
Note: If you secure the Plesk mail server with an SSL/TLS certificate, make sure to use the domain name for which the certificate was issued when connecting to the mail server, and advise your customers to do the same. Otherwise, the mail client software may be unable to verify the mail server identity, which may cause issues when sending or receiving mail.
I followed the instructions given in the post by Dinara Aspembitova above.
I generated one certificate for myOrg.com. Used that certificate for securing three things: (a) the site myOrg.com, (b) Plesk as indicated in your instructions, (c) mail as in your instructions.
Now, to test everything is OK, I went to https://www.checktls.com and ran the test for "myOrg.com". While everything else was OK, I got the following message:
Cert Hostname DOES NOT VERIFY (mail.myOrg.com != myOrg.com | DNS:myOrg.com | DNS:www.myOrg.com)
So email is encrypted but the host is not verified
What should I do to fix this?
P.S. My mail server is mail.myOrg.com.
Hello @Josh,
The cause of this warning is that domain name in the certificate is myOrg.com but mail server has domain name mail.myOrg.com.
It is required to generate certificate for domain name mail.myOrg.com and apply it for mail server.
The article will be updated with the additional info.
@John, @Ivan, what if customers configured mail clients to use mail.domainname.tld? A typical shared hosting server may host up to a thousand of domains, it is practically infeasible to instruct all users to adjust configuration of their mail clients.
It should at least generate mail server certificates for: mail.domainname.tld (for every server domain), domain.tld, servername.tld, mail.servername.tld.
Please take into account that almost all modern mail clients provide a wizard configurator, asking just e-mail address and password, then they try to automatically discover IMAP/SMTP server names; they perform that, trying mail.domainname.tld. They fails if mail. subdomain is not properly secured.
Currently, Microsoft Outlook for PC and mobile refuses to connect to unsecured mail servers.
Hello @Ivan,
So, is it possible to generate a Letsencrypt certificate for mail.myOrg.com? I couldn't find a way to do that. The certificate I was able to generate was for myOrg.com.
Basically, I am trying to figure out how to secure my mailserver at mail.myOrg.com now that, as you confirmed, I can't use the same certificate as the one generated for myOrg.com.
P.S. I am using Plesk on a Windows server.
Hello @Marco,
Thank you for being interested in the new functionality of Plesk.
This limitation is caused by Postfix not supporting SNI.
Plesk development team is looking for ways to improve it.
Hello @Josh,
Let me give you more precise answer.
The article was updated with the following notice:
When connecting to the mail server, make sure to use the domain name in the certificate issued during securing Plesk mail server.
Advise your customers to do the same. Otherwise, the mail client software may be unable to verify the mail server identity, which may cause issues when sending or receiving mail, like this one.
As a workaround, you may create the subdomain mail.myOrg.com and issue a certificate for it. And after that assign the certificate to mail server.
In case you have many domains on the server, to avoid errors, mail clients should use the domain name from mail server certificate while setting mail clients.
@Ivan, IMAP/POP3 connectivity is provided by Dovecot, not Postfix. Dovecot supports SNI.
@Marco, yes, you are absolutely correct.
As I have previously mentioned, Plesk Development Team is aware that such feature is highly required.
Expect it being added in future Plesk updates.
Hi.
I have around 150 Domains in my server and the situation I have is that the certificate was issued to mainservername.tld and www.mainservername.tld.
At start I was instructing the customers to use mainservername.tld as the mail server name to prevent the ssl server name mismatch, but this causes a problem when compared to using mail.theirdomain.tld:
- When the costumers let the service go down without renewing the domain, the client's IP address gets banned by fail2ban (in a while causing recidive to permanently disallow access to every service in the server) because mainservername.tld can still be resolved while mail.theirdomain.tld wouldn't because the domain would have been cancelled;
- Also if a customer has several domains and lets one down and don't remove the mail configurations from every computer, fail2ban does the trick of blocking the IP and denies the access to every other domain even before recidive makes it's magic of permanently blocking all services.
In other words how can I set different certificates for each domain in the mail server?
An option would be to create the certificate with the main domain mainservername.tld and alterantive names:
www.mainservername.tld,
mail.theirdomain.tld,
mail.domain1.tld,
mail.domain2.tld,
mail.domain3.tld,
etc etc
I've tried something like this, but Let's Encrypt won't allow more than 100 domain names and I don't think it would be even a good idea, because every domain in the server would be visible in the certificate and also transferring a certificate with 150 names on every connection shouldn't be good.
How can I solve this problem.
Cheers.
Hi @Diogo Rodrigues!
Unfortunately, until both Postfix and Dovecot will support SNI, there is no way to set different certificates for each domain in the mail server.
The only workaround can be to use alternative names. Also, I suggest adding IPs to Fail2Ban white list to avoid unnecessary blocks.
Thanks for this tutorial, does this possible to install the Let's encrypt certificate on mobile to business mail. Do I need SSL installation services to do that or can I do that my own?
Hello @Shahbaz,
Generally, Let's Encrypt SSL certificates are installed on the server to secure domains, mail server, etc.
For your purpose, the mail server which your mobile device uses to send mail should be secured. On the mobile device just configure mail account as usual.
After securing the mail server with a Lets encrypt certificate and then adding the same domain that is in the mail server lets Encrypt certificate to the outgoing mail smtp settings in outlook to avoid the annoying "security certificate cannot be verified" pop ups, does this override the Plesk option for Outgoing mail mode: Send from domain IP addresses?
I do not want all email to send through the primary IP of the server like the older versions of Plesk.
Hello @Stacey Keel,
Securing a mail server with a certificate does not override the selected option in Outgoing mail mode. However, please note that selected option "send from domain IP addresses" implies that even though email is sent from domain's IP address, server's hostname is used in SMTP greeting. And it can cause issues like the domain marked as spam source because hostname of the server is not properly resolved to the server or there are a lot of domains which use the same IP address.
I suggest checking our article regarding Outgoing mail mode to choose the most useful option for you:
https://support.plesk.com/hc/en-us/articles/213905445-How-do-different-outgoing-mail-modes-work-
It seems I cannot secure my Plesk panel login from a browser AND at the same time secure mail.mydomain.tld. I have to pick one or the other? I'm getting a browser warning. Mail is working fine. I created a subdomain mail.domain.tld and created a Let's Encrypt certificate for it, but that does not secure mail. And I see no way to have two separate Let's Encrypt certs from Tools & Settings > SSL certs.
If this can't be done with Let's Encrypt, can I purchase a separate certificate and get that to work?
Hi guys, we have around 400 domains on our plesk server and have just upgraded from version 17.5 to Obsidian early adopter so we can utilize the mail.domainname functionality. Is there a way in the commandline to set the SSL certiicate for mail for all domains that have the mail service enabled but have no certificate chosen? I don't really want to have to go through 400 domains and manually enable this setting.
Cheers, Mike
@Jeffrey,
It is possible to choose a certificate for securing mail from the one issued for a domain in Plesk.
If you click "Change", you will be able to select a certificate issued to domains.
@Mike,
You can automate it with help of command-line utilities. You can issue a certificate for a domain with help of this utility:
# plesk bin extension --exec letsencrypt cli.php --help
As for setting a certificate for mail service of a particular domain, run this command:
# plesk bin subscription_settings -u example.com -mail_certificate "Lets Encrypt example.com"
You can make a script, which will do these operations for all or multiple domains in a loop.
Thank you for your reply Bulat. I believe you are referring to the SSL Cert page in Tools & Settings. When i click "change" i have the option to change the certificate for mail. If I understand correctly, you are saying I then select the domain that is the hostname. When i attempt to do that i do not have an option to scroll down the list of domain names. I see a message "There are 52 more objects available" but that is not clickable. Is there a work-around for this?
Hi Jeffrey,
Thank you for providing more details. I reported this behaviour to our developers, I hope it will be fixed soon.
Meanwhile, you can secure your mail server with help of command-line utility:
You can find more details in this article: https://support.plesk.com/hc/en-us/articles/115000553793-How-to-secure-Plesk-and-mail-server-with-Let-s-Encrypt-certificate-via-CLI-
@Jeffrey Zeunert
I've just realised that this field is actually a search bar, you can just start typing the name of the certificate you want to use and it will be found.
Thank you! I was able to search, found the cert, and it's working perfectly.
Please sign in to leave a comment.