Applicable to:
- Plesk Obsidian for Linux
- Plesk Obsidian for Windows
Question
How to assign an SSL certificate per domain to secure the mail server in Plesk (SNI support)?
Answer
Requirements
Warning: If you're switching from Courier to Dovecot be aware of potential issues.
-
Issue a Let's Encrypt certificate for a domain, or upload a paid certificate
-
For each of the domains that should have a separate mail certificate, navigate to Domains > example.com > Mail > Mail Settings
-
Select the domain's certificate in SSL/TLS certificate for mail dropdown:
-
Click on Apply
-
Verify that the separate mail certificate is used:
-
On Windows:
-
Connect to the server via RDP
-
Run OpenSSL with the mail server's domain and check the certificate's CN field:
PS echo 'Q' | plesk sbin openssl s_client -connect localhost:465 -servername example.com -showcerts 2>&1 | SLS -Pattern 'CN=[^/]+' | % { $_.Matches } | % { $_.Value } | Get-Unique
CN=example.com
-
-
On Linux:
-
Connect to the server via SSH
-
Run OpenSSL with the mail server's domain and check the certificate's CN field:
# echo 'Q' | openssl s_client -connect localhost:465 -servername example.com -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq
CN=example.com
-
-
Comments
71 comments
@thierry this is vice versa a priority feature, it is something we are going to consider for implementing in the upcoming 17.9 version. And 17.9 first because this probably will require major changes in code or even in product architecture level, thus developing on preview versions allows us to test it properly and keep 17.8 stable. If possible, we backport updates to the current stable version.
>Without SNI, most of the emails sent are going directly to Junk folder of the receiver
SNI should not affect mail delivery, there is only one problem SNI solves: getting a warning about non-trusted certificate connecting to your mailbox with a mail client. There are a lot of reasons why mail goes to spam: not configured DKIM or SPF, bad domain reputation (Google has own internal algorithms) or bad email content. We do have a good troubleshooting article to check that.
>Even if SNI have been added to Postfix 3.0.4, DEBIAN is using 3.1.9 (https://packages.debian.org/stretch/postfix) CentOS 7 using Postfix 2.10
We have a practice of building packages ourselves if that is required. For example PHP 7.3 not available on Centos and Debian but you can install it because Plesk builds it from sources.
Plesk do not respect the best pratice for a good email deliverability, the develoopers are probably lazy to make this changes ?
Plesk is an old company already and maybe started to think that's not necessary to follow the best pratice and new options.
It must be fixed as soon as possible, as a priority task, without a good email deliverability and respect best practices, Plesk doesn't make sense to be used.
We need to be able to use one SSL certificate by domain name for the smtp server.
AND now in Outlook 2016 it's impossible to choose the smtp server, then if we have Plesk it's like impossible to use Outlook !
PLEASE WAKE UP Plesk....
@João If we start developing Postfix, who will continue to develop Plesk? People resources are limited, it is not possible to implement all the features. If we dedicate time helping Postfix we will need to drop other features that have more priority for our customers.
Also, SNI has been added to Postfix 3.4.0 which is released as stable now on the 27-th of February. Means we can start working on implementing this from Plesk side. We hope to add SNI support in Plesk 17.9 which approximately going to be released on Q4 2019. But these are very rough dates since the feature is yet to be reviewed, estimated and planned.
Hi @TheJenne18 and @thierry,
Actually, there is an update indeed. We already decided that we will implement SNI support in Plesk Linux when it will be available in Postfix. And as far as we know, SNI support is going to be implemented in Postfix 3.4 or near it.
No ETA is available at the moment however.
Hi @thierry!
We totally agree that the feature is useful indeed.
However, Plesk would have been looking forward in getting it developed on our side if there were no plans of its implementation by the Postfix team themselves.
As this feature is considered more than a minor enhancement and implies changing the business logic of Postfix, it would be illegitimate to interfere in Postfix developers future plans.
@Hany S. Hanna
That will address both issues. Some mail providers tend more to consider the mail spam if those conditions aren't met by the sender. Therefore, the warning notice on MXToolBox.
Updated to the latest Obsidian today but I can not see the dropdown mentioned in step4. I only see "for webmail" but not "for mail". Why? There are lets encrypt certificates active for webmail. So how can I use SNI support for mail?
@thierry
Thank you for your suggestion.
This functionality is planned for implementation.
However, there is no exact ETA for this.
I asked our developers to shed some light on this matter.
I will update you here once I have a reply from them.
Actually we may have just found a workaround, although it requires additional steps and waiting.
On another domain (let's say thedomain.com) we re-issued its certificate using a wildcard certificate and "Assign the certificate to the mail domain".
To do so requires adding the provided TXT record to the domain's DNS and then waiting for it to be publicly propagated.
After finishing the wildcard SSL installation, the "openssl s_client..." still yields a CN of thedomain.com WITHOUT any mail. subdomain in front. However, Outlook sent/received using mail.thedomain.com without any complaint or SSL issues whatsoever.
But ideally, Plesk would fix this for us so that the checkbox in the domain settings work and a wildcard SSL isn't required for it to work.
Plesk, please help - we're trying to solve this issue as well.
We're using CentOS7, Postfix & Dovecot. No Premium Plesk Email. We've verified that SNI is on, and that ports 465 and 995 are being listened to by postix & dovecot respectively according to netstat.
We've been testing this on numerous servers and domains - some that integrate cloudflare and some that do not - just to try and explore all possibilities. So far, it seems that it's strictly related to Plesk and have found no fix.
Currently we and all our clients are having to the server names like servername.ourdomain.com for all POP/SMTP traffic. (the mail SSL for the server is setup set in Plesk>Tools & Settings>SSL/TLS Certificates) That works fine, but mail.clientdomain.com would be much better and for future migrations we don't have to tell each one to change their mail server settings.
To clarify, for the most recent test moments ago:
We re-issued an SSL to a clean, non-Cloudflare domain (we'll call it clientdomain.com) that previously did not have the "Assign the certificate to the mail domain" checked.
Previously, the "openssl s_client..." command lookup for mail.clientdomain.com resulted in showing the CN of the server itself like servername.ourdomain.com . But this results in a domain/certificate error is apps like Outlook.
Once the SSL was re-issued with "Assign the certificate to the mail domain" checked, the "openssl s_client..." command for mail.clientdomain.com results in a CN of clientdomain.com .
So that's close, but no cigar since that's still technically not the mail.clientdomain.com that outlook is trying to connect to. Therefore another SSL/certificate error.
If we try to connect simply to clientdomain.com as the mailservers in outlook, the connection times out.
Also see this related issue: https://talk.plesk.com/threads/lets-encrypt-and-assign-the-certificate-to-mail-domain-problems-and-autodiscovery-issues-caused-by-this.360307/
The command referred to above to check the CN is:
#echo 'Q' | openssl s_client -connect localhost:465 -servername mail.clientdomain.com -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq
netstat command to check port listening:
#netstat -tlnp | grep 995
@thierry
I have my own server with Plesk and I use Outlook 2016.
The problem you are talking I suppose known as "Reverse DNS does not match SMTP Banner", to make it work properly the following conditions should be met:
That's all and here does not matter what you used in Outlook settings for incoming/outgoing settings.
Now about your example:
>HELO (server) = domaine.com
>Greeting = server name WRONG ! = Junk email
Important to keep in mind we have 2 SMTP sessions:
1. Outlook connects to your Plesk server.
2. Your Plesk server connects to gmail.com
In case 1 SNI will allow you to setup multiple certificates and use for incoming/outgoing mail server multiple domain names. Without SNI you will get an error about certificate/hostname mismatch.
In case 2 SNI already does not take any effect as well as does not matter what you used for incoming/outgoing mail server settings, since this is SMTP session between your server and gmail already, and in that case Plesk allows you two options:
Hope that help you to configure mail server.
I have upgraded to Plesk Obsidian Version 18.0.19 and dont see this option. I have deleted the Lets encrypt cert and reinstalled the wildcard, still do not see the option for securing MAIL
@Alan Hughes,
Check whether SNI is enabled in psa.conf as described in this article: https://support.plesk.com/hc/en-us/articles/213944545
Hello Felipe Martini,
Starting from version 16.12, Plesk Premium Email extension supports SNI.
To enable SNI for the domain with the new or updated mail certificate:
Note: the Fix button should be pressed every time a certificate for mail service is installed or updated.
@thierry, yes, Plesk Obsidian will be globally released later this year. It is needed a very demanded feature, we are glad we are now able to provide it with an upcoming release.
We have clients that only have email service. We don’t have web or dns hosting. This doesn’t allow the use of customerdomain.tld as mail server on email client.
A good workaround was add webmail.customerdomain.tld as a server name indication (SNI):
Thanks for this clear answer and to let us know Obsidian will be released globally (later this year) which will makes OVH to use it.
This thread started on september 2018, we are on august 2019, and we need to wait for a solution MAYBE later this year, right ?
I just let you imagine what your customers can have in their mind ;-)
Regards
Dear Mikhail,
I have a plesk server running on ubuntu 20.04.5. I can use your script and everything is fine, but: it is still impossible to connect with thunderbird 102.2.2 (64bit) running on linux.
I have also checked https://support.plesk.com/hc/en-us/articles/360015529259-How-does-mail-autodiscover-function-work-in-Plesk, these requests are working fine, too.
I have configured https://talk.plesk.com/threads/unable-to-connect-with-imap-via-mail-client-webmail-works.362352/. If I use the autodiscover url I always get 'failed to verify the legitimacy of the server and therefore could not establish a secure connection to it"'
I wonder, because certificates are well configured. I do not know the reason, can you help?
Plesk created this Uservoice request for me but I do not think it or my reply to it give the best explanation or possible solution: https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/45565207-issuing-let-s-encrypt-certificates-for-mail-domain
Hi, Mark.
I agree - it's preferable to not use Wildcard SSLs and for this just to work as it's supposed to.
I can confirm that this a new issue. Our old/previous servers were using CentOS6 and only a slightly older version of Plesk. We had a number of clients using mail.theirdomain.com as their mail servers. So it was definitely working then. We updated/migrated all clients and domains to new CentOS7 systems with the latest Plesk, and that's when we noticed the issue and have been troubleshooting ever since. The servername.ourdomain.com method works fine for now, but if/when we have to migrate to the next gen of servers it could require us having to contact each of these clients and have them change their mail server to differentservername.ourdomain.com - which takes a TON of extra time.
So really it's just up to Plesk to fix this issue.
Regarding the secondary thread you mentioned - that'd be a separate issue since I don't see how Let's Encrypt could verify a domain with the A record pointed elsewhere. Unless of course the A record is simply a proxy to the real server location like when using Cloudflare. Let's Encrypt has to write files to the server being secured and then verify those files, so pointing the record totally somewhere else seems like would totally break its verification method.
Hi,
I'd like to change the server name from domain.com to smtp.domain.com (as I'd like to keep domain.com proxied in Cloudflare)
Is that possible? How?
Thank you,
Anyone was able to resolved this issue... Keep getting MISMATCH SSL with emails
Magestyx, I can confirm the issue and work around. To me this sounds like a recent issue or did this never work as it should? I rather not use 'Wildcard SSL/TLS certificate' if I don't have to.
So the bug seems to be: "Assign the certificate to the mail domain" does exactly what it says but not exactly what I would expect: it assigns the created certificate to the mail server for use with IMAP, POP, SMTP but it does not take care of a certificate for mail.domain.tld. mail.domain.tld SSL will only work after a Wildcard SSL/TLS certificate is created.
@thierry
Thank you for the explanations! It is important that you have dedicated IP addresses for each domain, it changes the overall picture completely.
Of course, in this case, there would be issues with the deliverability due to a certificate mismatch.
The point is that SNI allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate.
It means that multiple certificates can be used on one IP address, which is NOT your case.
You have multiple domains on multiple IP addresses, so you can use different certificates on each IP.
Please refer to the following article, it describes how you can set up such configuration in Postfix: https://lxadm.com/Postfix_and_multiple_SSL_certificates
But also please note that in some cases master.cf is being rewritten, for example, when using "plesk repair mail" command, so it would be possibly needed to back up your working master.cf and manually replace it in case it is rewritten.
In addition, Plesk has different options for outgoing mail: https://support.plesk.com/hc/en-us/articles/213905445-How-do-different-outgoing-mail-modes-work-on-Plesk-server-
So you may select sending emails from one particular IP address. However, as I understood, you are using the second mode (Send from domain IP addresses and use domain names in SMTP greeting).
I hope my explanations have shed some light on the issue.
@Anton Maslov: Am I to understand from your previous posts that when Postfix 3.4 is available and has SNI you will be incorporating it into Plesk as a custom added service like the high-end PHP versions are so we CentOS 7.6.x people can take advantage of the new SNI Postfix/Dovecot capability?
O not found This fix button where os that?
Hi,
What's the ETA of the next future stable release which will include this capability?
Best Regards,
@Anton Maslov
@Anton Maslov
SNI should not affect mail delivery
That's not true ;-) SNI makes able to get the right "Greeting" with the SMTP domain name and of course it's important to get a good email deliverability.
Have you tried to use Outlook without SNI ? probably NOT. Most of the customers are using Outlook...
Outlook gives an error because the SMTP (SSL 995) is wrong if you try to use the domain name, and you don't have other choice to enter manually the server name instead of the domain name to be able to use Outlook.
Then we get this result to send emails :
IP = ip domaine.com
HELO (server) = domaine.com
rDNS = domaine.com
Greeting = server name WRONG ! = Junk email
Then the emails are sent with the server name (SMTP SSL) and not with the domain name, for this reason, you can be sure Gmail or Microsoft (Hotmail and so on..) will put the emails sent directly to Junk folder of the receiver...
And of course, before I came here to complain, my first step have been to be sure that I am fully compliant DKIM and SPF + DMARC (strict mode) ;-)
Is it more clear for you ? We cannot use email boxes with Plesk, this is not acceptable because we get daily complain from our customers...it's a nightmare !
Please try to think twice when you are saying ""If we dedicate time helping Postfix we will need to drop other features that have more priority for our customers."
Of course it must be your first priority, we need to be able to send emails with Plesk. To do not consider this problem as the first priority is not reasonable
Hello @Ivan Postnikov
Just above on 10 may you told us that you need time to collect this info.
We are now on 31 may, 20 days later...did you get enough time :-) ?
Please be back on this topic, MANY customers expect to get the implement support of Postfix 3.4 with SNI
Now you told us above : an upcoming major release of Plesk.
We really hoping that it wasn't only an announce
Thank for your understanding
Hi Sascha Schlüter you may remove it in Plesk > Extensions > Plesk Premium Email.
Please sign in to leave a comment.