How to assign separate SSL certificates for different domains on a local mail server in Plesk?

Follow

Comments

13 comments

  • Avatar
    thierry

    Plesk do not respect the best pratice for a good email deliverability, the develoopers are probably lazy to make this changes ?

    Plesk is an old company already and maybe started to think that's not necessary to follow the best pratice and new options.

    It must be fixed as soon as possible, as a priority task, without a good email deliverability and respect best practices, Plesk doesn't make sense to be used.

    We need to be able to use one SSL certificate by domain name for the smtp server.

    AND now in Outlook 2016 it's impossible to choose the smtp server, then if we have Plesk it's like impossible to use Outlook !

    PLEASE WAKE UP Plesk....

  • Avatar
    Bato Tsydenov

    @thierry

    Thank you for your suggestion.

    This functionality is planned for implementation.

    However, there is no exact ETA for this.

    I asked our developers to shed some light on this matter.

    I will update you here once I have a reply from them.

  • Avatar
    Unknown User

    Hello Plesk,

     

    Is their already some kind of an update?

  • Avatar
    Alexandr Redikultsev

    Hi @TheJenne18 and @thierry,

    Actually, there is an update indeed. We already decided that we will implement SNI support in Plesk Linux when it will be available in Postfix. And as far as we know, SNI support is going to be implemented in Postfix 3.4 or near it. 

    No ETA is available at the moment however.

  • Avatar
    thierry

    What do you mean exactly ?

    You are waiting that the developpeurs from Postix solved this problem for free instead of Plesk, and after ¨Plesk will said this problem solved !

    Open Source is really magic to make money ! and make working the people for free...

    I'm sorry but I totally disagree with these methods.

  • Avatar
    Anzhelika Khapaknysh (Edited )

    Hi @thierry!

    We totally agree that the feature is useful indeed.
    However, Plesk would have been looking forward in getting it developed on our side if there were no plans of its implementation by the Postfix team themselves.

    As this feature is considered more than a minor enhancement and implies changing the business logic of Postfix, it would be illegitimate to interfere in Postfix developers future plans.

  • Avatar
    João Dalvi

    I'm sorry, can't you guys help postfix developers to implement this feature? Don't you make enough money for this? You dont have to step over anyone, just offer help (developers) to the postix community to hurry up with this feature. I really doubt they would refuse this. As you guys use postfix in your paid software, it would be nice (actually its nothing more than expected) if you could give something back like helping them out with this feature while also giving the people who gives you money something they want...

  • Avatar
    Pierre-Emmanuel DEGRYSE

    Hi,

      What's the ETA of the next future stable release which will include this capability?

    Best Regards,

  • Avatar
    Anton Maslov

    @João If we start developing Postfix, who will continue to develop Plesk? People resources are limited, it is not possible to implement all the features. If we dedicate time helping Postfix we will need to drop other features that have more priority for our customers. 

    Also, SNI has been added to Postfix 3.4.0 which is released as stable now on the 27-th of February. Means we can start working on implementing this from Plesk side. We hope to add SNI support in Plesk 17.9 which approximately going to be released on Q4 2019. But these are very rough dates since the feature is yet to be reviewed, estimated and planned.

     

  • Avatar
    thierry

    @Anton Maslov

    Thanks for your explanations, it's more clear now : Plesk is ONLY for hosting website without any emails boxes !

    it's extremely shocking to read you and see this : "If we dedicate time helping Postfix we will need to drop other features that have more priority for our customers."

    Please add this to your home page : "With Plesk, you will not be able to send emails because that's not an important features and that's not a priority for us"

    Seriously, are you joking ?

    Without SNI, most of the emails sent are going directly to Junk folder of the receiver, this is just a nightmare... Our customers are complaining daily

    Even if SNI have been added to Postfix 3.0.4, DEBIAN is using 3.1.9 (https://packages.debian.org/stretch/postfix) CentOS 7 using Postfix 2.10

    You really convinced me to give up Plesk, congratulations !

  • Avatar
    Anton Maslov

    @thierry this is vice versa a priority feature, it is something we are going to consider for implementing in the upcoming 17.9 version. And 17.9 first because this probably will require major changes in code or even in product architecture level, thus developing on preview versions allows us to test it properly and keep 17.8 stable. If possible, we backport updates to the current stable version.

    >Without SNI, most of the emails sent are going directly to Junk folder of the receiver

    SNI should not affect mail delivery, there is only one problem SNI solves: getting a warning about non-trusted certificate connecting to your mailbox with a mail client. There are a lot of reasons why mail goes to spam: not configured DKIM or SPF, bad domain reputation (Google has own internal algorithms) or bad email content. We do have a good troubleshooting article to check that.

    >Even if SNI have been added to Postfix 3.0.4, DEBIAN is using 3.1.9 (https://packages.debian.org/stretch/postfix) CentOS 7 using Postfix 2.10

    We have a practice of building packages ourselves if that is required. For example PHP 7.3 not available on Centos and Debian but you can install it because Plesk builds it from sources.

  • Avatar
    thierry

    @Anton Maslov

    @Anton Maslov

    SNI should not affect mail delivery

    That's not true ;-) SNI makes able to get the right "Greeting" with the SMTP domain name and of course it's important to get a good email deliverability.

    Have you tried to use Outlook without SNI ? probably NOT. Most of the customers are using Outlook...

    Outlook gives an error because the SMTP (SSL 995) is wrong if you try to use the domain name, and you don't have other choice to enter manually the server name instead of the domain name to be able to use Outlook.

    Then we get this result to send emails :
    IP = ip domaine.com
    HELO (server) = domaine.com
    rDNS = domaine.com
    Greeting = server name WRONG ! = Junk email

    Then the emails are sent with the server name (SMTP SSL) and not with the domain name, for this reason, you can be sure Gmail or Microsoft (Hotmail and so on..) will put the emails sent directly to Junk folder of the receiver...

    And of course, before I came here to complain, my first step have been to be sure that I am fully compliant DKIM and SPF + DMARC (strict mode) ;-)

    Is it more clear for you ? We cannot use email boxes with Plesk, this is not acceptable because we get daily complain from our customers...it's a nightmare !

    Please try to think twice when you are saying ""If we dedicate time helping Postfix we will need to drop other features that have more priority for our customers."

    Of course it must be your first priority, we need to be able to send emails with Plesk. To do not consider this problem as the first priority is not reasonable

  • Avatar
    Anton Maslov

    @thierry

    I have my own server with Plesk and I use Outlook 2016.

    The problem you are talking I suppose known as "Reverse DNS does not match SMTP Banner", to make it work properly the following conditions should be met:

    1. Your SMTP banner(HELO) should be example.com which resolve e.g. to IP 192.168.0.1
    2. You domain mail should be sent then from IP 192.168.0.1
    3. Your PTR record for 192.168.0.1 should point to example.com

    That's all and here does not matter what you used in Outlook settings for incoming/outgoing settings.

    Now about your example:

    >HELO (server) = domaine.com

    >Greeting = server name WRONG ! = Junk email

    Important to keep in mind we have 2 SMTP sessions:

    1. Outlook connects to your Plesk server. 

    2. Your Plesk server connects to gmail.com 

    In case 1 SNI  will allow you to setup multiple certificates and use for incoming/outgoing mail server multiple domain names. Without SNI you will get an error about certificate/hostname mismatch. 

    In case 2 SNI already does not take any effect as well as does not matter what you used for incoming/outgoing mail server settings, since this is SMTP session between your server and gmail already, and in that case Plesk allows you two options:

    1. HELO is your domain name - domaine.com, if you want to use that option, you should add your domaine.com as a PTR record for sending IP.
    2. HELO is your hostname(default option). Here you need to make sure hostname resolves to IP you use for mailing and PTR for that IP contains hostname.

    Hope that help you to configure mail server.

Please sign in to leave a comment.

Have more questions? Submit a request