Applicable to:
- Plesk Obsidian for Linux
- Plesk Obsidian for Windows
Question
How to assign a SSL certificate per domain to secure the mail server in Plesk (SNI support)?
Requirements
Answer
Warning: If you're switching from Courier to Dovecot be aware about potential issues.
-
Issue a Let's Encrypt certificate for a domain, or upload a paid certificate
-
For each of the domains that should have separate mail certificate, navigate to Domains > example.com > Mail > Mail Settings
-
Select the domain's certificate in SSL/TLS certificate for mail dropdown:
-
Click on Apply
-
Verify that the separate mail certificate is used:
-
On Windows:
-
Connect to the server via RDP
-
Run OpenSSL with the mail server's domain and check the certificate's CN field:
PS echo 'Q' | plesk sbin openssl s_client -connect localhost:465 -servername example.com -showcerts 2>&1 | SLS -Pattern 'CN=[^/]+' | % { $_.Matches } | % { $_.Value } | Get-Unique
CN=example.com
-
-
On Linux:
-
Connect to the server via SSH
-
Run OpenSSL with the mail server's domain and check the certificate's CN field:
# echo 'Q' | openssl s_client -connect localhost:465 -servername example.com -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq
CN=example.com
-
-
Comments
62 comments
@thierry, yes, Plesk Obsidian will be globally released later this year. It is needed a very demanded feature, we are glad we are now able to provide it with an upcoming release.
Updated to the latest Obsidian today but I can not see the dropdown mentioned in step4. I only see "for webmail" but not "for mail". Why? There are lets encrypt certificates active for webmail. So how can I use SNI support for mail?
Hello @Daniel Bickel,
Most probably it is required to enable SNI support. Use the article below:
https://support.plesk.com/hc/en-us/articles/213944545-How-to-activate-the-SNI-support-on-a-Plesk-server
I have upgraded to Plesk Obsidian Version 18.0.19 and dont see this option. I have deleted the Lets encrypt cert and reinstalled the wildcard, still do not see the option for securing MAIL
@Alan Hughes,
Check whether SNI is enabled in psa.conf as described in this article: https://support.plesk.com/hc/en-us/articles/213944545
not working with Qmail?
@Luis, currently SNI is only supported for Postfix+Dovecot in Linux and MailEnable 10.20 for Windows.
I have upgraded to the latest Plesk Obsidian and dont see this option. SNI support is set to true in psa.conf.
Running Debian 8 (jessie)
Hi Gabriel Tavares
Debian 8 does not support SNI, you'll need to migrate to Debian 9.
Francisco Roman Garcia Rodriguez
Thanks mate.
Thank you.
Worked fine
Hi,
we use :
CentOS Linux 7.7.1908 (Core)
with Plesk Obsidian Version 18.0.21 with Postfix and Dovecot
We have installed 35 Domains for customers using lets Encrypt.
So far so good, but the issue with pop. and mail. is still there! We can't set every seperate Domain to its own Certificate!
we see the dropdown in "Mail" to each domain, were we can choose the correct lets encrypt-cert, everything seems to be ok...
but our customers still get the Mailserver-Cert, when they check their mails!!
They still get a warning, because it is the server-cert and not their own domain-cert!
What we have to do, to fix this annoying issue?
It drives us crazy, because we have IOS and PowerMac users, because there is necessary a "special adjustment" to get rid of this savety-warnings!
Thx
Marc
Hello @Marc,
The cause of this behaviour is not clear and a detailed investigation is required.
Please contact Plesk technical support for assistance:
https://support.plesk.com/hc/en-us/requests/new
Hi,
i `ve just stumbled accross this Line: "Debian 8 or RHEL/CentOS/CloudLinux 6 are not supported."
does it mean, that SNI-Support don't work globaly for CentOS or older Versions only?
We use CentOS 7.7
@Marc
It won't work for older versions only. CentOS 7 is supported.
I followed the guideline above, but with partially success only: when checking the used certificates with
echo 'Q' | openssl s_client -connect localhost:portnumber -servername example.com -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq
everything is okay for portnumbers 465 (SMTPs) and 995 (POPs), but on port 993 (IMAPs) the machine keeps using the server-certificate as chosen in the global settings.
The server already has been restartet. What can i do to get the domain-certificate delivered on port 993?
Hello Sascha Schlüter, check what service is listening on port 993:
If you see anything other than Dovecot, for example, beam (kolab) then this is the cause of the issue.
Kolab does not support SNI at the moment.
As a workaround, you may want to use POP3 to connect mail clients instead or uninstall Plesk Premium Mail extension.
Hi Nelson, thanks for this hint. The command shows
If I get you right, the installed Plesk Premium E-Mail causes my problems and i have to uninstall it. How can that be done? Unfortunately, there is no uninstall option in the Plesk UI as far as i can see.
Hi Sascha Schlüter you may remove it in Plesk > Extensions > Plesk Premium Email.
Thank you, Julian!
Hello Anton Maslov
You mentioned that "The problem you are talking I suppose known as "Reverse DNS does not match SMTP Banner", to make it work properly the following conditions should be met:
Is this means that if the 3 conditions above have been met the Miss-Match alert in MXToolBox will disappear or only this will affect the servers communications?
Thank you
Is there any development in this area? When will the Plesk Premium Email Extension start supporting SNI?
Hello peterbo
There're plans to add SNI support to Premium Email. The exact ETA is to be available later.
@Hany S. Hanna
That will address both issues. Some mail providers tend more to consider the mail spam if those conditions aren't met by the sender. Therefore, the warning notice on MXToolBox.
this is not working yet for plesk premium email? i realy need that someone help me plz im losting my clients cause they cant use outlook
Hello Felipe Martini,
Starting from version 16.12, Plesk Premium Email extension supports SNI.
To enable SNI for the domain with the new or updated mail certificate:
Note: the Fix button should be pressed every time a certificate for mail service is installed or updated.
O not found This fix button where os that?
Hello Felipe Martini
According to the information I have, it should look like below after getting new or updating mail certificate:
In case this won't work for you I suggest submitting a request to Plesk support.
I was having issues with this configuration, then I found out that you need to configure the email client using the server address in the format "domain.com" or "mail.domain.com", if you use any other name (eg: smtp.domain.com) the server won't return the correct certificate (even with a Let's Encrypt wildcard certificate installed).
@awshima
Yes, using example.com is the intended way to specify the mail server in the client's settings.
Please sign in to leave a comment.