How to assign an SSL certificate per domain to secure the mail server in Plesk (SNI support)?

Follow

Comments

70 comments

  • Avatar
    Anton Maslov

    @thierry this is vice versa a priority feature, it is something we are going to consider for implementing in the upcoming 17.9 version. And 17.9 first because this probably will require major changes in code or even in product architecture level, thus developing on preview versions allows us to test it properly and keep 17.8 stable. If possible, we backport updates to the current stable version.

    >Without SNI, most of the emails sent are going directly to Junk folder of the receiver

    SNI should not affect mail delivery, there is only one problem SNI solves: getting a warning about non-trusted certificate connecting to your mailbox with a mail client. There are a lot of reasons why mail goes to spam: not configured DKIM or SPF, bad domain reputation (Google has own internal algorithms) or bad email content. We do have a good troubleshooting article to check that.

    >Even if SNI have been added to Postfix 3.0.4, DEBIAN is using 3.1.9 (https://packages.debian.org/stretch/postfix) CentOS 7 using Postfix 2.10

    We have a practice of building packages ourselves if that is required. For example PHP 7.3 not available on Centos and Debian but you can install it because Plesk builds it from sources.

    4
    Comment actions Permalink
  • Avatar
    thierry

    Plesk do not respect the best pratice for a good email deliverability, the develoopers are probably lazy to make this changes ?

    Plesk is an old company already and maybe started to think that's not necessary to follow the best pratice and new options.

    It must be fixed as soon as possible, as a priority task, without a good email deliverability and respect best practices, Plesk doesn't make sense to be used.

    We need to be able to use one SSL certificate by domain name for the smtp server.

    AND now in Outlook 2016 it's impossible to choose the smtp server, then if we have Plesk it's like impossible to use Outlook !

    PLEASE WAKE UP Plesk....

    3
    Comment actions Permalink
  • Avatar
    Anton Maslov

    @João If we start developing Postfix, who will continue to develop Plesk? People resources are limited, it is not possible to implement all the features. If we dedicate time helping Postfix we will need to drop other features that have more priority for our customers. 

    Also, SNI has been added to Postfix 3.4.0 which is released as stable now on the 27-th of February. Means we can start working on implementing this from Plesk side. We hope to add SNI support in Plesk 17.9 which approximately going to be released on Q4 2019. But these are very rough dates since the feature is yet to be reviewed, estimated and planned.

     

    2
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi @TheJenne18 and @thierry,

    Actually, there is an update indeed. We already decided that we will implement SNI support in Plesk Linux when it will be available in Postfix. And as far as we know, SNI support is going to be implemented in Postfix 3.4 or near it. 

    No ETA is available at the moment however.

    2
    Comment actions Permalink
  • Avatar
    Anzhelika Khapaknysh (Edited )

    Hi @thierry!

    We totally agree that the feature is useful indeed.
    However, Plesk would have been looking forward in getting it developed on our side if there were no plans of its implementation by the Postfix team themselves.

    As this feature is considered more than a minor enhancement and implies changing the business logic of Postfix, it would be illegitimate to interfere in Postfix developers future plans.

    2
    Comment actions Permalink
  • Avatar
    Denis Bykov

    @Hany S. Hanna
    That will address both issues. Some mail providers tend more to consider the mail spam if those conditions aren't met by the sender. Therefore, the warning notice on MXToolBox.

    1
    Comment actions Permalink
  • Avatar
    Daniel Bickel

    Updated to the latest Obsidian today but I can not see the dropdown mentioned in step4. I only see "for webmail" but not "for mail". Why? There are lets encrypt certificates active for webmail. So how can I use SNI support for mail?

    1
    Comment actions Permalink
  • Avatar
    Bato Tsydenov

    @thierry

    Thank you for your suggestion.

    This functionality is planned for implementation.

    However, there is no exact ETA for this.

    I asked our developers to shed some light on this matter.

    I will update you here once I have a reply from them.

    1
    Comment actions Permalink
  • Avatar
    kalin clements

    Actually we may have just found a workaround, although it requires additional steps and waiting.

    On another domain (let's say thedomain.com) we re-issued its certificate using a wildcard certificate and "Assign the certificate to the mail domain".

    To do so requires adding the provided TXT record to the domain's DNS and then waiting for it to be publicly propagated.

    After finishing the wildcard SSL installation, the "openssl s_client..." still yields a CN of thedomain.com WITHOUT any mail. subdomain in front.  However, Outlook sent/received using mail.thedomain.com without any complaint or SSL issues whatsoever.

    But ideally, Plesk would fix this for us so that the checkbox in the domain settings work and a wildcard SSL isn't required for it to work.

     

     

    1
    Comment actions Permalink
  • Avatar
    kalin clements

    Plesk, please help - we're trying to solve this issue as well.
    We're using CentOS7, Postfix & Dovecot.  No Premium Plesk Email. We've verified that SNI is on, and that ports 465 and 995 are being listened to by postix & dovecot respectively according to netstat.
    We've been testing this on numerous servers and domains - some that integrate cloudflare and some that do not - just to try and explore all possibilities.  So far, it seems that it's strictly related to Plesk and have found no fix.

    Currently we and all our clients are having to the server names like servername.ourdomain.com for all POP/SMTP traffic.  (the mail SSL for the server is setup set in Plesk>Tools & Settings>SSL/TLS Certificates)  That works fine, but mail.clientdomain.com would be much better and for future migrations we don't have to tell each one to change their mail server settings.

    To clarify, for the most recent test moments ago:
    We re-issued an SSL to a clean, non-Cloudflare domain (we'll call it clientdomain.com) that previously did not have the "Assign the certificate to the mail domain" checked.

    Previously, the "openssl s_client..." command lookup for mail.clientdomain.com resulted in showing the CN of the server itself like servername.ourdomain.com .  But this results in a domain/certificate error is apps like Outlook.

    Once the SSL was re-issued with "Assign the certificate to the mail domain" checked, the "openssl s_client..." command for mail.clientdomain.com results in a CN of clientdomain.com .

    So that's close, but no cigar since that's still technically not the mail.clientdomain.com that outlook is trying to connect to.  Therefore another SSL/certificate error.
    If we try to connect simply to clientdomain.com as the mailservers in outlook, the connection times out.

    Also see this related issue: https://talk.plesk.com/threads/lets-encrypt-and-assign-the-certificate-to-mail-domain-problems-and-autodiscovery-issues-caused-by-this.360307/

    The command referred to above to check the CN is:
    #echo 'Q' | openssl s_client -connect localhost:465 -servername mail.clientdomain.com -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq

    netstat command to check port listening:
    #netstat -tlnp | grep 995

    1
    Comment actions Permalink
  • Avatar
    Anton Maslov

    @thierry

    I have my own server with Plesk and I use Outlook 2016.

    The problem you are talking I suppose known as "Reverse DNS does not match SMTP Banner", to make it work properly the following conditions should be met:

    1. Your SMTP banner(HELO) should be example.com which resolve e.g. to IP 192.168.0.1
    2. You domain mail should be sent then from IP 192.168.0.1
    3. Your PTR record for 192.168.0.1 should point to example.com

    That's all and here does not matter what you used in Outlook settings for incoming/outgoing settings.

    Now about your example:

    >HELO (server) = domaine.com

    >Greeting = server name WRONG ! = Junk email

    Important to keep in mind we have 2 SMTP sessions:

    1. Outlook connects to your Plesk server. 

    2. Your Plesk server connects to gmail.com 

    In case 1 SNI  will allow you to setup multiple certificates and use for incoming/outgoing mail server multiple domain names. Without SNI you will get an error about certificate/hostname mismatch. 

    In case 2 SNI already does not take any effect as well as does not matter what you used for incoming/outgoing mail server settings, since this is SMTP session between your server and gmail already, and in that case Plesk allows you two options:

    1. HELO is your domain name - domaine.com, if you want to use that option, you should add your domaine.com as a PTR record for sending IP.
    2. HELO is your hostname(default option). Here you need to make sure hostname resolves to IP you use for mailing and PTR for that IP contains hostname.

    Hope that help you to configure mail server.

    1
    Comment actions Permalink
  • Avatar
    Alan Hughes

    I have upgraded to Plesk Obsidian Version 18.0.19 and dont see this option. I have deleted the Lets encrypt cert and reinstalled the wildcard, still do not see the option for securing MAIL

    1
    Comment actions Permalink
  • Avatar
    Anzhelika Khapaknysh

    @Alan Hughes,

    Check whether SNI is enabled in psa.conf as described in this article: https://support.plesk.com/hc/en-us/articles/213944545

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Felipe Martini,

    Starting from version 16.12, Plesk Premium Email extension supports SNI.

    To enable SNI for the domain with the new or updated mail certificate:

    1. Log in to Plesk
    2. Protect domain with SSL certificate
    3. Install the latest extension updates
    4. Open Plesk Premium Email extension and click Fix button:

    Note: the Fix button should be pressed every time a certificate for mail service is installed or updated.

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov

    @thierry, yes, Plesk Obsidian will be globally released later this year. It is needed a very demanded feature, we are glad we are now able to provide it with an upcoming release.

    0
    Comment actions Permalink
  • Avatar
    Pleskadminlinux

    We have clients that only have email service. We don’t have web or dns hosting. This doesn’t allow the use of customerdomain.tld as mail server on email client.

    A good workaround was add webmail.customerdomain.tld as a server name indication (SNI):

    • How can we configure webmail.customerdomain.tld as a server name indication (SNI)?
    • A good and easy improvement to PLESK was add webmail.customerdomain.tld as a server name indication (SNI) by default.
    0
    Comment actions Permalink
  • Avatar
    thierry

    Thanks for this clear answer and to let us know Obsidian will be released globally (later this year) which will makes OVH to use it.

    This thread started on september 2018, we are on august 2019, and we need to wait for a solution MAYBE later this year, right ?

    I just let you imagine what your customers can have in their mind ;-)

    Regards

    0
    Comment actions Permalink
  • Avatar
    Mark

    Plesk created this Uservoice request for me but I do not think it or my reply to it give the best explanation or possible solution: https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/45565207-issuing-let-s-encrypt-certificates-for-mail-domain

    0
    Comment actions Permalink
  • Avatar
    kalin clements

    Hi, Mark.

    I agree - it's preferable to not use Wildcard SSLs and for this just to work as it's supposed to.

    I can confirm that this a new issue.  Our old/previous servers were using CentOS6 and only a slightly older version of Plesk.  We had a number of clients using mail.theirdomain.com as their mail servers.  So it was definitely working then.  We updated/migrated all clients and domains to new CentOS7 systems with the latest Plesk, and that's when we noticed the issue and have been troubleshooting ever since.  The servername.ourdomain.com method works fine for now, but if/when we have to migrate to the next gen of servers it could require us having to contact each of these clients and have them change their mail server to differentservername.ourdomain.com - which takes a TON of extra time.

    So really it's just up to Plesk to fix this issue.

    Regarding the secondary thread you mentioned - that'd be a separate issue since I don't see how Let's Encrypt could verify a domain with the A record pointed elsewhere.  Unless of course the A record is simply a proxy to the real server location like when using Cloudflare.  Let's Encrypt has to write files to the server being secured and then verify those files, so pointing the record totally somewhere else seems like would totally break its verification method.

    0
    Comment actions Permalink
  • Avatar
    Nicola Urbinati

    Hi,

    I'd like to change the server name from domain.com to smtp.domain.com (as I'd like to keep domain.com proxied in Cloudflare)

    Is that possible? How?

    Thank you,

    0
    Comment actions Permalink
  • Avatar
    Mariano Loo

    Anyone was able to resolved this issue... Keep getting MISMATCH SSL with emails

    0
    Comment actions Permalink
  • Avatar
    Mark (Edited )

    Magestyx, I can confirm the issue and work around. To me this sounds like a recent issue or did this never work as it should? I rather not use 'Wildcard SSL/TLS certificate' if I don't have to.

    So the bug seems to be: "Assign the certificate to the mail domain" does exactly what it says but not exactly what I would expect: it assigns the created certificate to the mail server for use with IMAP, POP, SMTP but it does not take care of a certificate for mail.domain.tld. mail.domain.tld SSL will only work after a Wildcard SSL/TLS certificate is created.

    0
    Comment actions Permalink
  • Avatar
    Alisa Kasyanova

    @thierry
    Thank you for the explanations! It is important that you have dedicated IP addresses for each domain, it changes the overall picture completely.
    Of course, in this case, there would be issues with the deliverability due to a certificate mismatch.
    The point is that SNI allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate.
    It means that multiple certificates can be used on one IP address, which is NOT your case.
    You have multiple domains on multiple IP addresses, so you can use different certificates on each IP.
    Please refer to the following article, it describes how you can set up such configuration in Postfix: https://lxadm.com/Postfix_and_multiple_SSL_certificates
    But also please note that in some cases master.cf is being rewritten, for example, when using "plesk repair mail" command, so it would be possibly needed to back up your working master.cf and manually replace it in case it is rewritten.
    In addition, Plesk has different options for outgoing mail: https://support.plesk.com/hc/en-us/articles/213905445-How-do-different-outgoing-mail-modes-work-on-Plesk-server-
    So you may select sending emails from one particular IP address. However, as I understood, you are using the second mode (Send from domain IP addresses and use domain names in SMTP greeting).

    I hope my explanations have shed some light on the issue.

    0
    Comment actions Permalink
  • Avatar
    Greg P

    @Anton Maslov: Am I to understand from your previous posts that when Postfix 3.4 is available and has SNI you will be incorporating it into Plesk as a custom added service like the high-end PHP versions are so we CentOS 7.6.x people can take advantage of the new SNI Postfix/Dovecot capability?

    0
    Comment actions Permalink
  • Avatar
    Felipe Martini

    O not found This fix button where os that?

    0
    Comment actions Permalink
  • Avatar
    Pierre-Emmanuel DEGRYSE

    Hi,

      What's the ETA of the next future stable release which will include this capability?

    Best Regards,

    0
    Comment actions Permalink
  • Avatar
    thierry

    @Anton Maslov

    @Anton Maslov

    SNI should not affect mail delivery

    That's not true ;-) SNI makes able to get the right "Greeting" with the SMTP domain name and of course it's important to get a good email deliverability.

    Have you tried to use Outlook without SNI ? probably NOT. Most of the customers are using Outlook...

    Outlook gives an error because the SMTP (SSL 995) is wrong if you try to use the domain name, and you don't have other choice to enter manually the server name instead of the domain name to be able to use Outlook.

    Then we get this result to send emails :
    IP = ip domaine.com
    HELO (server) = domaine.com
    rDNS = domaine.com
    Greeting = server name WRONG ! = Junk email

    Then the emails are sent with the server name (SMTP SSL) and not with the domain name, for this reason, you can be sure Gmail or Microsoft (Hotmail and so on..) will put the emails sent directly to Junk folder of the receiver...

    And of course, before I came here to complain, my first step have been to be sure that I am fully compliant DKIM and SPF + DMARC (strict mode) ;-)

    Is it more clear for you ? We cannot use email boxes with Plesk, this is not acceptable because we get daily complain from our customers...it's a nightmare !

    Please try to think twice when you are saying ""If we dedicate time helping Postfix we will need to drop other features that have more priority for our customers."

    Of course it must be your first priority, we need to be able to send emails with Plesk. To do not consider this problem as the first priority is not reasonable

    0
    Comment actions Permalink
  • Avatar
    thierry

    Hello @Ivan Postnikov

    Just above on 10 may you told us that you need time to collect this info.

    We are now on 31 may, 20 days later...did you get enough time :-) ?

    Please be back on this topic, MANY customers expect to get the implement support of Postfix 3.4 with SNI

    Now you told us above : an upcoming major release of Plesk.

    We really hoping that it wasn't only an announce

    Thank for your understanding

     

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    Hi Sascha Schlüter you may remove it in Plesk > Extensions > Plesk Premium Email.

    0
    Comment actions Permalink
  • Avatar
    Sascha Schlüter

    Thank you, Julian!

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request