How to assign a SSL certificate per domain to secure the mail server in Plesk (SNI support)?

Follow

Comments

65 comments

  • Avatar
    Hüseyin Şevki TOPUZ

    Did not work, still receiving main domain's ssl information. Is there a method for doing this manually?

    0
    Comment actions Permalink
  • Avatar
    Mariano Loo

    Anyone was able to resolved this issue... Keep getting MISMATCH SSL with emails

    0
    Comment actions Permalink
  • Avatar
    Nicola Urbinati

    Hi,

    I'd like to change the server name from domain.com to smtp.domain.com (as I'd like to keep domain.com proxied in Cloudflare)

    Is that possible? How?

    Thank you,

    0
    Comment actions Permalink
  • Avatar
    Magestyx

    Plesk, please help - we're trying to solve this issue as well.
    We're using CentOS7, Postfix & Dovecot.  No Premium Plesk Email. We've verified that SNI is on, and that ports 465 and 995 are being listened to by postix & dovecot respectively according to netstat.
    We've been testing this on numerous servers and domains - some that integrate cloudflare and some that do not - just to try and explore all possibilities.  So far, it seems that it's strictly related to Plesk and have found no fix.

    Currently we and all our clients are having to the server names like servername.ourdomain.com for all POP/SMTP traffic.  (the mail SSL for the server is setup set in Plesk>Tools & Settings>SSL/TLS Certificates)  That works fine, but mail.clientdomain.com would be much better and for future migrations we don't have to tell each one to change their mail server settings.

    To clarify, for the most recent test moments ago:
    We re-issued an SSL to a clean, non-Cloudflare domain (we'll call it clientdomain.com) that previously did not have the "Assign the certificate to the mail domain" checked.

    Previously, the "openssl s_client..." command lookup for mail.clientdomain.com resulted in showing the CN of the server itself like servername.ourdomain.com .  But this results in a domain/certificate error is apps like Outlook.

    Once the SSL was re-issued with "Assign the certificate to the mail domain" checked, the "openssl s_client..." command for mail.clientdomain.com results in a CN of clientdomain.com .

    So that's close, but no cigar since that's still technically not the mail.clientdomain.com that outlook is trying to connect to.  Therefore another SSL/certificate error.
    If we try to connect simply to clientdomain.com as the mailservers in outlook, the connection times out.

    Also see this related issue: https://talk.plesk.com/threads/lets-encrypt-and-assign-the-certificate-to-mail-domain-problems-and-autodiscovery-issues-caused-by-this.360307/

    The command referred to above to check the CN is:
    #echo 'Q' | openssl s_client -connect localhost:465 -servername mail.clientdomain.com -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq

    netstat command to check port listening:
    #netstat -tlnp | grep 995

    0
    Comment actions Permalink
  • Avatar
    Magestyx

    Actually we may have just found a workaround, although it requires additional steps and waiting.

    On another domain (let's say thedomain.com) we re-issued its certificate using a wildcard certificate and "Assign the certificate to the mail domain".

    To do so requires adding the provided TXT record to the domain's DNS and then waiting for it to be publicly propagated.

    After finishing the wildcard SSL installation, the "openssl s_client..." still yields a CN of thedomain.com WITHOUT any mail. subdomain in front.  However, Outlook sent/received using mail.thedomain.com without any complaint or SSL issues whatsoever.

    But ideally, Plesk would fix this for us so that the checkbox in the domain settings work and a wildcard SSL isn't required for it to work.

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request