How to secure a Plesk mail server with different SSL certificates (SNI support)

Follow

Comments

40 comments

  • Avatar
    thierry

    Plesk do not respect the best pratice for a good email deliverability, the develoopers are probably lazy to make this changes ?

    Plesk is an old company already and maybe started to think that's not necessary to follow the best pratice and new options.

    It must be fixed as soon as possible, as a priority task, without a good email deliverability and respect best practices, Plesk doesn't make sense to be used.

    We need to be able to use one SSL certificate by domain name for the smtp server.

    AND now in Outlook 2016 it's impossible to choose the smtp server, then if we have Plesk it's like impossible to use Outlook !

    PLEASE WAKE UP Plesk....

    1
    Comment actions Permalink
  • Avatar
    Bato Tsydenov

    @thierry

    Thank you for your suggestion.

    This functionality is planned for implementation.

    However, there is no exact ETA for this.

    I asked our developers to shed some light on this matter.

    I will update you here once I have a reply from them.

    1
    Comment actions Permalink
  • Avatar
    Unknown User

    Hello Plesk,

     

    Is their already some kind of an update?

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi @TheJenne18 and @thierry,

    Actually, there is an update indeed. We already decided that we will implement SNI support in Plesk Linux when it will be available in Postfix. And as far as we know, SNI support is going to be implemented in Postfix 3.4 or near it. 

    No ETA is available at the moment however.

    2
    Comment actions Permalink
  • Avatar
    thierry

    What do you mean exactly ?

    You are waiting that the developpeurs from Postix solved this problem for free instead of Plesk, and after ¨Plesk will said this problem solved !

    Open Source is really magic to make money ! and make working the people for free...

    I'm sorry but I totally disagree with these methods.

    -1
    Comment actions Permalink
  • Avatar
    Anzhelika Khapaknysh (Edited )

    Hi @thierry!

    We totally agree that the feature is useful indeed.
    However, Plesk would have been looking forward in getting it developed on our side if there were no plans of its implementation by the Postfix team themselves.

    As this feature is considered more than a minor enhancement and implies changing the business logic of Postfix, it would be illegitimate to interfere in Postfix developers future plans.

    1
    Comment actions Permalink
  • Avatar
    João Dalvi

    I'm sorry, can't you guys help postfix developers to implement this feature? Don't you make enough money for this? You dont have to step over anyone, just offer help (developers) to the postix community to hurry up with this feature. I really doubt they would refuse this. As you guys use postfix in your paid software, it would be nice (actually its nothing more than expected) if you could give something back like helping them out with this feature while also giving the people who gives you money something they want...

    0
    Comment actions Permalink
  • Avatar
    Pierre-Emmanuel DEGRYSE

    Hi,

      What's the ETA of the next future stable release which will include this capability?

    Best Regards,

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov

    @João If we start developing Postfix, who will continue to develop Plesk? People resources are limited, it is not possible to implement all the features. If we dedicate time helping Postfix we will need to drop other features that have more priority for our customers. 

    Also, SNI has been added to Postfix 3.4.0 which is released as stable now on the 27-th of February. Means we can start working on implementing this from Plesk side. We hope to add SNI support in Plesk 17.9 which approximately going to be released on Q4 2019. But these are very rough dates since the feature is yet to be reviewed, estimated and planned.

     

    1
    Comment actions Permalink
  • Avatar
    thierry

    @Anton Maslov

    Thanks for your explanations, it's more clear now : Plesk is ONLY for hosting website without any emails boxes !

    it's extremely shocking to read you and see this : "If we dedicate time helping Postfix we will need to drop other features that have more priority for our customers."

    Please add this to your home page : "With Plesk, you will not be able to send emails because that's not an important features and that's not a priority for us"

    Seriously, are you joking ?

    Without SNI, most of the emails sent are going directly to Junk folder of the receiver, this is just a nightmare... Our customers are complaining daily

    Even if SNI have been added to Postfix 3.0.4, DEBIAN is using 3.1.9 (https://packages.debian.org/stretch/postfix) CentOS 7 using Postfix 2.10

    You really convinced me to give up Plesk, congratulations !

    -1
    Comment actions Permalink
  • Avatar
    Anton Maslov

    @thierry this is vice versa a priority feature, it is something we are going to consider for implementing in the upcoming 17.9 version. And 17.9 first because this probably will require major changes in code or even in product architecture level, thus developing on preview versions allows us to test it properly and keep 17.8 stable. If possible, we backport updates to the current stable version.

    >Without SNI, most of the emails sent are going directly to Junk folder of the receiver

    SNI should not affect mail delivery, there is only one problem SNI solves: getting a warning about non-trusted certificate connecting to your mailbox with a mail client. There are a lot of reasons why mail goes to spam: not configured DKIM or SPF, bad domain reputation (Google has own internal algorithms) or bad email content. We do have a good troubleshooting article to check that.

    >Even if SNI have been added to Postfix 3.0.4, DEBIAN is using 3.1.9 (https://packages.debian.org/stretch/postfix) CentOS 7 using Postfix 2.10

    We have a practice of building packages ourselves if that is required. For example PHP 7.3 not available on Centos and Debian but you can install it because Plesk builds it from sources.

    3
    Comment actions Permalink
  • Avatar
    thierry

    @Anton Maslov

    @Anton Maslov

    SNI should not affect mail delivery

    That's not true ;-) SNI makes able to get the right "Greeting" with the SMTP domain name and of course it's important to get a good email deliverability.

    Have you tried to use Outlook without SNI ? probably NOT. Most of the customers are using Outlook...

    Outlook gives an error because the SMTP (SSL 995) is wrong if you try to use the domain name, and you don't have other choice to enter manually the server name instead of the domain name to be able to use Outlook.

    Then we get this result to send emails :
    IP = ip domaine.com
    HELO (server) = domaine.com
    rDNS = domaine.com
    Greeting = server name WRONG ! = Junk email

    Then the emails are sent with the server name (SMTP SSL) and not with the domain name, for this reason, you can be sure Gmail or Microsoft (Hotmail and so on..) will put the emails sent directly to Junk folder of the receiver...

    And of course, before I came here to complain, my first step have been to be sure that I am fully compliant DKIM and SPF + DMARC (strict mode) ;-)

    Is it more clear for you ? We cannot use email boxes with Plesk, this is not acceptable because we get daily complain from our customers...it's a nightmare !

    Please try to think twice when you are saying ""If we dedicate time helping Postfix we will need to drop other features that have more priority for our customers."

    Of course it must be your first priority, we need to be able to send emails with Plesk. To do not consider this problem as the first priority is not reasonable

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov

    @thierry

    I have my own server with Plesk and I use Outlook 2016.

    The problem you are talking I suppose known as "Reverse DNS does not match SMTP Banner", to make it work properly the following conditions should be met:

    1. Your SMTP banner(HELO) should be example.com which resolve e.g. to IP 192.168.0.1
    2. You domain mail should be sent then from IP 192.168.0.1
    3. Your PTR record for 192.168.0.1 should point to example.com

    That's all and here does not matter what you used in Outlook settings for incoming/outgoing settings.

    Now about your example:

    >HELO (server) = domaine.com

    >Greeting = server name WRONG ! = Junk email

    Important to keep in mind we have 2 SMTP sessions:

    1. Outlook connects to your Plesk server. 

    2. Your Plesk server connects to gmail.com 

    In case 1 SNI  will allow you to setup multiple certificates and use for incoming/outgoing mail server multiple domain names. Without SNI you will get an error about certificate/hostname mismatch. 

    In case 2 SNI already does not take any effect as well as does not matter what you used for incoming/outgoing mail server settings, since this is SMTP session between your server and gmail already, and in that case Plesk allows you two options:

    1. HELO is your domain name - domaine.com, if you want to use that option, you should add your domaine.com as a PTR record for sending IP.
    2. HELO is your hostname(default option). Here you need to make sure hostname resolves to IP you use for mailing and PTR for that IP contains hostname.

    Hope that help you to configure mail server.

    1
    Comment actions Permalink
  • Avatar
    thierry

    @Anton Maslov

    Yes of course "Reverse DNS MUST match SMTP Banner",

    IP = ip domaine1.com
    HELO (server) = domaine1.com
    rDNS = domaine1.com

    This configuration must be done to get a good delivrability. (I am in this case and do not use gmail.com as in your exemple above)

    Then this configuration is going to work perfectly if you are using ONLY one domain name with the server, if you have RE name the server by domain1.com.

    In this case, with domain1.com.it's possible to get the DNS "greeting server" with the SSL Smtp.

    But in the case of you are using multiple domain name, you cannot get the DNS "greeting server" for each domain name, it will be possible with ONLY domaine1.com.

    Then the SMTP server NAME (SSL 995) cannot be multiple, it MUST be always domaine1.com !

    If you want send emails with smtp.domain2.com Outlook will display a warning message and will answer you that you must use smtp.domain1.com as smtp because the SSL DNS greeting server is on smtp.domain1.com

    Finally when you want send emails with domain2.com, you don't have other choice to use smtp.domain1.com and that's really bad for the delivrablity.

    More clear ?

     

    0
    Comment actions Permalink
  • Avatar
    Alisa Kasyanova

    @thierry
    >> Finally when you want send emails with domain2.com, you don't have other choice to use smtp.domain1.com and that's really bad for the delivrablity.
    Thousands of Plesk servers use such settings successfully. All our documentation sections and articles emphasize that incoming and outgoing mail server name in mail client settings must match the mail certificate's domain name.
    Most probably, there is some other misconfiguration that leads messages to end in SPAM. We would really like to help you find it, so please submit a request to support (https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-) or let us know if you wish that we create a ticket for you.

    0
    Comment actions Permalink
  • Avatar
    thierry

    Hello @Alisa Kasyanova and @Anton Maslov

    The things are not exactly like you explained it above. Please let me explain again the SNI problems due to Postfix with PLESK.

    My server is named : hr123plesk.reseller.mis.ovh.net and of course I have one IP server  123.456.789.10

    This server host different domains name and each domain name have their own dedicated IP

    domain1.com IP = 87.98.149.01 SSL let's encrypt

    domain2.com IP = 87.98.149.02 SSL let's encrypt

    I have 9 domains name on my PLESK server and each domain name have one dedicated IP.

    As you know already Plesk CANNOT use SSL SNI of each domains name for the stmp (due to Postfix), then for this reason the SSL SNI used for send emails will be always the server named : hr123plesk.reseller.mis.ovh.net AND NOT the SSL SNI in correspance with each domains name.

    This is gives a mismatch configuration for the good deliverability emails !

    The greating DNS SNI server will be always hr123plesk.reseller.mis.ovh.net and not the SSL SNI for each domains name.

    With PLESK, the best SMTP configuration that we can get is : (I'm using this)

    IP = ip of domain1.com
    HELO (server) = domain1.com
    rDNS = domain1.com

    But SSL SNI used with the Smtp will be hr123plesk.reseller.mis.ovh.net it cannot be domain1.com and will affect the email deliverability.

    It gives 2 main problems :

    1- Mismatch configuration for the good deliverability emails !

    2- Outlook always opening one warning panel because the parameter between the SSL SNI and smtp are wrong because we cannot use the SSL SNI for each domains name.

    I hope my new explainations are more clear NOW !

    With PLESK it's impossible to sent email with a good deliverability ! and it will be like that until the SSL SNI will not be implemented for each domain name...

    The Plesk Team need to realize that's the MAJOR problems of Plesk, you will not convince your customers to use PLESK without emails !!!!!

    @Anzhelika Khapaknysh wrote :

    As this feature is considered more than a minor enhancement and implies changing the business logic of Postfix, it would be illegitimate to interfere in Postfix developers future plans.

    That's a real bad way to think like that, SURE Plesk need to give a good emails deliverability , that's not a minor enhancement but a MAJOR one !!!!!

    I am not here to solve my own case, but if you are thinking that you can solve my own case with this SSL SNI problem, yes please create one ticket for me.

    But unfortunately, there is not only me is in this case, this case concerned ALL the PLESK users.

     

     

     

    0
    Comment actions Permalink
  • Avatar
    Alisa Kasyanova

    @thierry
    Thank you for the explanations! It is important that you have dedicated IP addresses for each domain, it changes the overall picture completely.
    Of course, in this case, there would be issues with the deliverability due to a certificate mismatch.
    The point is that SNI allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate.
    It means that multiple certificates can be used on one IP address, which is NOT your case.
    You have multiple domains on multiple IP addresses, so you can use different certificates on each IP.
    Please refer to the following article, it describes how you can set up such configuration in Postfix: https://lxadm.com/Postfix_and_multiple_SSL_certificates
    But also please note that in some cases master.cf is being rewritten, for example, when using "plesk repair mail" command, so it would be possibly needed to back up your working master.cf and manually replace it in case it is rewritten.
    In addition, Plesk has different options for outgoing mail: https://support.plesk.com/hc/en-us/articles/213905445-How-do-different-outgoing-mail-modes-work-on-Plesk-server-
    So you may select sending emails from one particular IP address. However, as I understood, you are using the second mode (Send from domain IP addresses and use domain names in SMTP greeting).

    I hope my explanations have shed some light on the issue.

    0
    Comment actions Permalink
  • Avatar
    Greg P

    @Anton Maslov: Am I to understand from your previous posts that when Postfix 3.4 is available and has SNI you will be incorporating it into Plesk as a custom added service like the high-end PHP versions are so we CentOS 7.6.x people can take advantage of the new SNI Postfix/Dovecot capability?

    0
    Comment actions Permalink
  • Avatar
    Nick Plekhov

    Hello @Greg P
    You are right. We are going to implement support of Postfix 3.4 with SNI in an upcoming major release of Plesk.

    0
    Comment actions Permalink
  • Avatar
    thierry

    That's the best announce that I have seen since 2 years here :-)

    Our customers will be able to send email with a good deliverability and will not complain any more !

    if it's an upcoming major release of Plesk, what can be the estimated time ? 1 month, 6 months, 1 year ?

    But as far as I know, Postix 3.4 with SNI cannot be used with debian https://packages.debian.org/stretch/postfix because Debian is using Postix 3.1.18, same thing with CentOS 7 using Postfix 2.10

    Please can you let us know how you will tricks Debian and CentOs 7 to force them to use Postix 3.4 with SNI ?

    Thanks

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @thierry,

    > if it's an upcoming major release of Plesk, what can be the estimated time ? 1 month, 6 months, 1 year ?

    There is no exact ETA but expect it this year.

    > But as far as I know, Postix 3.4 with SNI cannot be used with debian https://packages.debian.org/stretch/postfix because Debian is using Postix 3.1.18, same thing with CentOS 7 using Postfix 2.10

    I will need some time to collect this info. As soon as I get it, I will post it here.

     

    0
    Comment actions Permalink
  • Avatar
    thierry

    Hello @Ivan Postnikov

    Just above on 10 may you told us that you need time to collect this info.

    We are now on 31 may, 20 days later...did you get enough time :-) ?

    Please be back on this topic, MANY customers expect to get the implement support of Postfix 3.4 with SNI

    Now you told us above : an upcoming major release of Plesk.

    We really hoping that it wasn't only an announce

    Thank for your understanding

     

    0
    Comment actions Permalink
  • Avatar
    Denis Bykov

    @thierry

    As I can see, there is a custom Postfix build provided by Plesk in the next release.
    You can check SNI functionality by installing testing release - https://support.plesk.com/hc/en-us/articles/213961885

    Please note that, as of now, it is not meant to be used in production. We expect a general release date this fall.

    0
    Comment actions Permalink
  • Avatar
    Martin George

    Could you guys at least please link the bug that stops the most common use case for this working? This is not working for letsencrypt certificates issued by plesk itself.

     

    https://support.plesk.com/hc/en-us/articles/360026242633--Unable-to-set-SNI-certificates-for-mail-Postfix-using-Let-s-Encrypt-certificates

    0
    Comment actions Permalink
  • Avatar
    Anzhelika Khapaknysh

    Hi @Martin George,

    Agree with you that it's a bit confusing.
    We've added a warning regarding this bug.

    Thanks for your input!

    0
    Comment actions Permalink
  • Avatar
    Alexander Dimelow

    why this option is not available in 17.x version?

    0
    Comment actions Permalink
  • Avatar
    Alexey Lapshin

    Hello @Alexander,

    We have no plans to implement this feature in Plesk Onyx. So the only option to use it is upgrading to Plesk Obsidian version.

    0
    Comment actions Permalink
  • Avatar
    thierry

    @Alexander what do you mean ? Since this thread from september 2018, the customers are talking here for nothing ?

    Just above on June 01, 2019 01:42 @Denis Bykov wrote :

    As I can see, there is a custom Postfix build provided by Plesk in the next release.
    You can check SNI functionality by installing testing releasehttps://support.plesk.com/hc/en-us/articles/213961885

    Please note that, as of now, it is not meant to be used in production. We expect a general release date this fall.

    And now on August 14, 2019 3 month later it changes and we get the opposite ?

    I am sorry but it's totally inconsistent ! and will make your customers very disappointed !

    If Plesk decide to do not implement this feature in Plesk Onyx, it mean more than 5000 customers will keep this problem as in this thread with this offer https://www.ovh.co.uk/plesk-webhosting/

    Ovh (your partner) will keep Plesk Onyx, until now this offer CANNOT have separate SSL with Postfix, and do not respect the best practice to send emails !!! and you want continue in this way ?

    Be ready to make more than 5000 customers unhappy with Plesk !

    Regards

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov (Edited )

    @Denis Bykov mentioned that SNI is available in next release, next release is Plesk Obsidian. Customers who ready to use a release candidate version of Obsidian may do an upgrade already. Also, technical support officially provided for Obsidian already.

    As soon as Obsidian will be released globally (later this year), OVH will also add this version to their offerings.

    We don't have plans to add SNI to Onyx.

    0
    Comment actions Permalink
  • Avatar
    thierry

    Thanks for this clear answer and to let us know Obsidian will be released globally (later this year) which will makes OVH to use it.

    This thread started on september 2018, we are on august 2019, and we need to wait for a solution MAYBE later this year, right ?

    I just let you imagine what your customers can have in their mind ;-)

    Regards

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request