How to assign a SSL certificate per domain to secure the mail server in Plesk (SNI support)?

Follow

Comments

60 comments

  • Avatar
    Anton Maslov

    @thierry this is vice versa a priority feature, it is something we are going to consider for implementing in the upcoming 17.9 version. And 17.9 first because this probably will require major changes in code or even in product architecture level, thus developing on preview versions allows us to test it properly and keep 17.8 stable. If possible, we backport updates to the current stable version.

    >Without SNI, most of the emails sent are going directly to Junk folder of the receiver

    SNI should not affect mail delivery, there is only one problem SNI solves: getting a warning about non-trusted certificate connecting to your mailbox with a mail client. There are a lot of reasons why mail goes to spam: not configured DKIM or SPF, bad domain reputation (Google has own internal algorithms) or bad email content. We do have a good troubleshooting article to check that.

    >Even if SNI have been added to Postfix 3.0.4, DEBIAN is using 3.1.9 (https://packages.debian.org/stretch/postfix) CentOS 7 using Postfix 2.10

    We have a practice of building packages ourselves if that is required. For example PHP 7.3 not available on Centos and Debian but you can install it because Plesk builds it from sources.

    4
    Comment actions Permalink
  • Avatar
    thierry

    Plesk do not respect the best pratice for a good email deliverability, the develoopers are probably lazy to make this changes ?

    Plesk is an old company already and maybe started to think that's not necessary to follow the best pratice and new options.

    It must be fixed as soon as possible, as a priority task, without a good email deliverability and respect best practices, Plesk doesn't make sense to be used.

    We need to be able to use one SSL certificate by domain name for the smtp server.

    AND now in Outlook 2016 it's impossible to choose the smtp server, then if we have Plesk it's like impossible to use Outlook !

    PLEASE WAKE UP Plesk....

    3
    Comment actions Permalink
  • Avatar
    Anton Maslov

    @João If we start developing Postfix, who will continue to develop Plesk? People resources are limited, it is not possible to implement all the features. If we dedicate time helping Postfix we will need to drop other features that have more priority for our customers. 

    Also, SNI has been added to Postfix 3.4.0 which is released as stable now on the 27-th of February. Means we can start working on implementing this from Plesk side. We hope to add SNI support in Plesk 17.9 which approximately going to be released on Q4 2019. But these are very rough dates since the feature is yet to be reviewed, estimated and planned.

     

    2
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi @TheJenne18 and @thierry,

    Actually, there is an update indeed. We already decided that we will implement SNI support in Plesk Linux when it will be available in Postfix. And as far as we know, SNI support is going to be implemented in Postfix 3.4 or near it. 

    No ETA is available at the moment however.

    2
    Comment actions Permalink
  • Avatar
    Anzhelika Khapaknysh (Edited )

    Hi @thierry!

    We totally agree that the feature is useful indeed.
    However, Plesk would have been looking forward in getting it developed on our side if there were no plans of its implementation by the Postfix team themselves.

    As this feature is considered more than a minor enhancement and implies changing the business logic of Postfix, it would be illegitimate to interfere in Postfix developers future plans.

    2
    Comment actions Permalink
  • Avatar
    Denis Bykov

    @Hany S. Hanna
    That will address both issues. Some mail providers tend more to consider the mail spam if those conditions aren't met by the sender. Therefore, the warning notice on MXToolBox.

    1
    Comment actions Permalink
  • Avatar
    Daniel Bickel

    Updated to the latest Obsidian today but I can not see the dropdown mentioned in step4. I only see "for webmail" but not "for mail". Why? There are lets encrypt certificates active for webmail. So how can I use SNI support for mail?

    1
    Comment actions Permalink
  • Avatar
    Bato Tsydenov

    @thierry

    Thank you for your suggestion.

    This functionality is planned for implementation.

    However, there is no exact ETA for this.

    I asked our developers to shed some light on this matter.

    I will update you here once I have a reply from them.

    1
    Comment actions Permalink
  • Avatar
    Anton Maslov

    @thierry

    I have my own server with Plesk and I use Outlook 2016.

    The problem you are talking I suppose known as "Reverse DNS does not match SMTP Banner", to make it work properly the following conditions should be met:

    1. Your SMTP banner(HELO) should be example.com which resolve e.g. to IP 192.168.0.1
    2. You domain mail should be sent then from IP 192.168.0.1
    3. Your PTR record for 192.168.0.1 should point to example.com

    That's all and here does not matter what you used in Outlook settings for incoming/outgoing settings.

    Now about your example:

    >HELO (server) = domaine.com

    >Greeting = server name WRONG ! = Junk email

    Important to keep in mind we have 2 SMTP sessions:

    1. Outlook connects to your Plesk server. 

    2. Your Plesk server connects to gmail.com 

    In case 1 SNI  will allow you to setup multiple certificates and use for incoming/outgoing mail server multiple domain names. Without SNI you will get an error about certificate/hostname mismatch. 

    In case 2 SNI already does not take any effect as well as does not matter what you used for incoming/outgoing mail server settings, since this is SMTP session between your server and gmail already, and in that case Plesk allows you two options:

    1. HELO is your domain name - domaine.com, if you want to use that option, you should add your domaine.com as a PTR record for sending IP.
    2. HELO is your hostname(default option). Here you need to make sure hostname resolves to IP you use for mailing and PTR for that IP contains hostname.

    Hope that help you to configure mail server.

    1
    Comment actions Permalink
  • Avatar
    Alan Hughes

    I have upgraded to Plesk Obsidian Version 18.0.19 and dont see this option. I have deleted the Lets encrypt cert and reinstalled the wildcard, still do not see the option for securing MAIL

    1
    Comment actions Permalink
  • Avatar
    Anzhelika Khapaknysh

    @Alan Hughes,

    Check whether SNI is enabled in psa.conf as described in this article: https://support.plesk.com/hc/en-us/articles/213944545

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Felipe Martini,

    Starting from version 16.12, Plesk Premium Email extension supports SNI.

    To enable SNI for the domain with the new or updated mail certificate:

    1. Log in to Plesk
    2. Protect domain with SSL certificate
    3. Install the latest extension updates
    4. Open Plesk Premium Email extension and click Fix button:

    Note: the Fix button should be pressed every time a certificate for mail service is installed or updated.

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov

    @thierry, yes, Plesk Obsidian will be globally released later this year. It is needed a very demanded feature, we are glad we are now able to provide it with an upcoming release.

    0
    Comment actions Permalink
  • Avatar
    thierry

    Thanks for this clear answer and to let us know Obsidian will be released globally (later this year) which will makes OVH to use it.

    This thread started on september 2018, we are on august 2019, and we need to wait for a solution MAYBE later this year, right ?

    I just let you imagine what your customers can have in their mind ;-)

    Regards

    0
    Comment actions Permalink
  • Avatar
    Alisa Kasyanova

    @thierry
    Thank you for the explanations! It is important that you have dedicated IP addresses for each domain, it changes the overall picture completely.
    Of course, in this case, there would be issues with the deliverability due to a certificate mismatch.
    The point is that SNI allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate.
    It means that multiple certificates can be used on one IP address, which is NOT your case.
    You have multiple domains on multiple IP addresses, so you can use different certificates on each IP.
    Please refer to the following article, it describes how you can set up such configuration in Postfix: https://lxadm.com/Postfix_and_multiple_SSL_certificates
    But also please note that in some cases master.cf is being rewritten, for example, when using "plesk repair mail" command, so it would be possibly needed to back up your working master.cf and manually replace it in case it is rewritten.
    In addition, Plesk has different options for outgoing mail: https://support.plesk.com/hc/en-us/articles/213905445-How-do-different-outgoing-mail-modes-work-on-Plesk-server-
    So you may select sending emails from one particular IP address. However, as I understood, you are using the second mode (Send from domain IP addresses and use domain names in SMTP greeting).

    I hope my explanations have shed some light on the issue.

    0
    Comment actions Permalink
  • Avatar
    Greg P

    @Anton Maslov: Am I to understand from your previous posts that when Postfix 3.4 is available and has SNI you will be incorporating it into Plesk as a custom added service like the high-end PHP versions are so we CentOS 7.6.x people can take advantage of the new SNI Postfix/Dovecot capability?

    0
    Comment actions Permalink
  • Avatar
    Felipe Martini

    O not found This fix button where os that?

    0
    Comment actions Permalink
  • Avatar
    Pierre-Emmanuel DEGRYSE

    Hi,

      What's the ETA of the next future stable release which will include this capability?

    Best Regards,

    0
    Comment actions Permalink
  • Avatar
    thierry

    @Anton Maslov

    @Anton Maslov

    SNI should not affect mail delivery

    That's not true ;-) SNI makes able to get the right "Greeting" with the SMTP domain name and of course it's important to get a good email deliverability.

    Have you tried to use Outlook without SNI ? probably NOT. Most of the customers are using Outlook...

    Outlook gives an error because the SMTP (SSL 995) is wrong if you try to use the domain name, and you don't have other choice to enter manually the server name instead of the domain name to be able to use Outlook.

    Then we get this result to send emails :
    IP = ip domaine.com
    HELO (server) = domaine.com
    rDNS = domaine.com
    Greeting = server name WRONG ! = Junk email

    Then the emails are sent with the server name (SMTP SSL) and not with the domain name, for this reason, you can be sure Gmail or Microsoft (Hotmail and so on..) will put the emails sent directly to Junk folder of the receiver...

    And of course, before I came here to complain, my first step have been to be sure that I am fully compliant DKIM and SPF + DMARC (strict mode) ;-)

    Is it more clear for you ? We cannot use email boxes with Plesk, this is not acceptable because we get daily complain from our customers...it's a nightmare !

    Please try to think twice when you are saying ""If we dedicate time helping Postfix we will need to drop other features that have more priority for our customers."

    Of course it must be your first priority, we need to be able to send emails with Plesk. To do not consider this problem as the first priority is not reasonable

    0
    Comment actions Permalink
  • Avatar
    thierry

    Hello @Ivan Postnikov

    Just above on 10 may you told us that you need time to collect this info.

    We are now on 31 may, 20 days later...did you get enough time :-) ?

    Please be back on this topic, MANY customers expect to get the implement support of Postfix 3.4 with SNI

    Now you told us above : an upcoming major release of Plesk.

    We really hoping that it wasn't only an announce

    Thank for your understanding

     

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    Hi Sascha Schlüter you may remove it in Plesk > Extensions > Plesk Premium Email.

    0
    Comment actions Permalink
  • Avatar
    Sascha Schlüter

    Thank you, Julian!

    0
    Comment actions Permalink
  • Avatar
    Hany S. Hanna

    Hello Anton Maslov

    You mentioned that "The problem you are talking I suppose known as "Reverse DNS does not match SMTP Banner", to make it work properly the following conditions should be met:

    1. Your SMTP banner(HELO) should be example.com which resolve e.g. to IP 192.168.0.1
    2. You domain mail should be sent then from IP 192.168.0.1
    3. Your PTR record for 192.168.0.1 should point to example.com "

    Is this means that if the 3 conditions above have been met the Miss-Match alert in MXToolBox will disappear or only this will affect the servers communications?

    Thank you

    0
    Comment actions Permalink
  • Avatar
    Maxim Krasikov

    Hello @Marc,

    The cause of this behaviour is not clear and a detailed investigation is required.

    Please contact Plesk technical support for assistance:
    https://support.plesk.com/hc/en-us/requests/new

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    @Luis, currently SNI is only supported for Postfix+Dovecot in Linux and MailEnable 10.20  for Windows.

    0
    Comment actions Permalink
  • Avatar
    thierry

    @Anton Maslov

    Yes of course "Reverse DNS MUST match SMTP Banner",

    IP = ip domaine1.com
    HELO (server) = domaine1.com
    rDNS = domaine1.com

    This configuration must be done to get a good delivrability. (I am in this case and do not use gmail.com as in your exemple above)

    Then this configuration is going to work perfectly if you are using ONLY one domain name with the server, if you have RE name the server by domain1.com.

    In this case, with domain1.com.it's possible to get the DNS "greeting server" with the SSL Smtp.

    But in the case of you are using multiple domain name, you cannot get the DNS "greeting server" for each domain name, it will be possible with ONLY domaine1.com.

    Then the SMTP server NAME (SSL 995) cannot be multiple, it MUST be always domaine1.com !

    If you want send emails with smtp.domain2.com Outlook will display a warning message and will answer you that you must use smtp.domain1.com as smtp because the SSL DNS greeting server is on smtp.domain1.com

    Finally when you want send emails with domain2.com, you don't have other choice to use smtp.domain1.com and that's really bad for the delivrablity.

    More clear ?

     

    0
    Comment actions Permalink
  • Avatar
    Alisa Kasyanova

    @thierry
    >> Finally when you want send emails with domain2.com, you don't have other choice to use smtp.domain1.com and that's really bad for the delivrablity.
    Thousands of Plesk servers use such settings successfully. All our documentation sections and articles emphasize that incoming and outgoing mail server name in mail client settings must match the mail certificate's domain name.
    Most probably, there is some other misconfiguration that leads messages to end in SPAM. We would really like to help you find it, so please submit a request to support (https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-) or let us know if you wish that we create a ticket for you.

    0
    Comment actions Permalink
  • Avatar
    Martin George

    Could you guys at least please link the bug that stops the most common use case for this working? This is not working for letsencrypt certificates issued by plesk itself.

     

    https://support.plesk.com/hc/en-us/articles/360026242633--Unable-to-set-SNI-certificates-for-mail-Postfix-using-Let-s-Encrypt-certificates

    0
    Comment actions Permalink
  • Avatar
    Anzhelika Khapaknysh

    Hi @Martin George,

    Agree with you that it's a bit confusing.
    We've added a warning regarding this bug.

    Thanks for your input!

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Felipe Martini

    According to the information I have, it should look like below after getting new or updating mail certificate:

    In case this won't work for you I suggest submitting a request to Plesk support.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request