How to secure a Plesk mail server with different SSL certificates (SNI support)

Follow

Comments

60 comments

  • Avatar
    Anton Maslov

    @thierry, yes, Plesk Obsidian will be globally released later this year. It is needed a very demanded feature, we are glad we are now able to provide it with an upcoming release.

    0
    Comment actions Permalink
  • Avatar
    Daniel Bickel

    Updated to the latest Obsidian today but I can not see the dropdown mentioned in step4. I only see "for webmail" but not "for mail". Why? There are lets encrypt certificates active for webmail. So how can I use SNI support for mail?

    1
    Comment actions Permalink
  • Avatar
    Anna Morozyuk

    Hello @Daniel Bickel,

    Most probably it is required to enable SNI support. Use the article below:
    https://support.plesk.com/hc/en-us/articles/213944545-How-to-activate-the-SNI-support-on-a-Plesk-server

    0
    Comment actions Permalink
  • Avatar
    Alan Hughes

    I have upgraded to Plesk Obsidian Version 18.0.19 and dont see this option. I have deleted the Lets encrypt cert and reinstalled the wildcard, still do not see the option for securing MAIL

    1
    Comment actions Permalink
  • Avatar
    Anzhelika Khapaknysh

    @Alan Hughes,

    Check whether SNI is enabled in psa.conf as described in this article: https://support.plesk.com/hc/en-us/articles/213944545

    0
    Comment actions Permalink
  • Avatar
    Luis Zubeldia (Edited )

    not working with Qmail?

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    @Luis, currently SNI is only supported for Postfix+Dovecot in Linux and MailEnable 10.20  for Windows.

    0
    Comment actions Permalink
  • Avatar
    Gabriel Tavares

    I have upgraded to the latest Plesk Obsidian and dont see this option. SNI support is set to true in psa.conf.
    Running Debian 8 (jessie)

    0
    Comment actions Permalink
  • Avatar
    Francisco Garcia (Edited )

    Hi Gabriel Tavares

    Debian 8 does not support SNI, you'll need to migrate to Debian 9.

    0
    Comment actions Permalink
  • Avatar
    Gabriel Tavares

    Francisco Garcia
    Thanks mate.

    0
    Comment actions Permalink
  • Avatar
    Daniel Omine

    Thank you.

    Worked fine

    0
    Comment actions Permalink
  • Avatar
    Marc

    Hi,

    we use :

    ‪CentOS Linux 7.7.1908 (Core)‬
    with Plesk Obsidian Version 18.0.21 with Postfix and Dovecot

    We have installed 35 Domains for customers using lets Encrypt.
    So far so good, but the issue with pop. and mail. is still there! We can't set every seperate Domain to its own Certificate!

    we see the dropdown in "Mail" to each domain, were we can choose the correct lets encrypt-cert, everything seems to be ok...
    but our customers still get the Mailserver-Cert, when they check their mails!!
    They still get a warning, because it is the server-cert and not their own domain-cert!

    What we have to do, to fix this annoying issue?

    It drives us crazy, because we have IOS and PowerMac users, because there is necessary a "special adjustment" to get rid of this savety-warnings!

     

    Thx

    Marc

     

     

     

    -1
    Comment actions Permalink
  • Avatar
    Maxim Krasikov

    Hello @Marc,

    The cause of this behaviour is not clear and a detailed investigation is required.

    Please contact Plesk technical support for assistance:
    https://support.plesk.com/hc/en-us/requests/new

    0
    Comment actions Permalink
  • Avatar
    Marc

    Hi,

    i `ve just stumbled accross this Line: "Debian 8 or RHEL/CentOS/CloudLinux 6 are not supported."

    does it mean, that SNI-Support don't work globaly for CentOS or older Versions only?

    We use CentOS 7.7

    0
    Comment actions Permalink
  • Avatar
    Denis Bykov

     

    @Marc

    It won't work for older versions only. CentOS 7 is supported.

    0
    Comment actions Permalink
  • Avatar
    Sascha Schlüter

    I followed the guideline above, but with partially success only: when checking the used certificates with

    echo 'Q' | openssl s_client -connect localhost:portnumber -servername example.com -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq

    everything is okay for portnumbers 465 (SMTPs) and 995 (POPs), but on port 993 (IMAPs) the machine keeps using the server-certificate as chosen in the global settings.

    The server already has been restartet. What can i do to get the domain-certificate delivered on port 993?  

    0
    Comment actions Permalink
  • Avatar
    Nelson Leiva

    Hello Sascha Schlüter, check what service is listening on port 993:

    netstat -tlnp | grep 993

    If you see anything other than Dovecot, for example, beam (kolab) then this is the cause of the issue.

    Kolab does not support SNI at the moment.

    As a workaround, you may want to use POP3 to connect mail clients instead or uninstall Plesk Premium Mail extension.

    0
    Comment actions Permalink
  • Avatar
    Sascha Schlüter

    Hi Nelson, thanks for this hint. The command shows

    tcp        0      0 127.0.0.1:9993          0.0.0.0:*               LISTEN      6195/dovecot        

    tcp6       0      0 :::993                  :::*                    LISTEN      368/beam.smp

    If I get you right, the installed Plesk Premium E-Mail causes my problems and i have to uninstall it. How can that be done? Unfortunately, there is no uninstall option in the Plesk UI as far as i can see. 

    0
    Comment actions Permalink
  • Avatar
    Julian Bonpland Mignaquy

    Hi Sascha Schlüter you may remove it in Plesk > Extensions > Plesk Premium Email.

    0
    Comment actions Permalink
  • Avatar
    Sascha Schlüter

    Thank you, Julian!

    0
    Comment actions Permalink
  • Avatar
    Hany S. Hanna

    Hello Anton Maslov

    You mentioned that "The problem you are talking I suppose known as "Reverse DNS does not match SMTP Banner", to make it work properly the following conditions should be met:

    1. Your SMTP banner(HELO) should be example.com which resolve e.g. to IP 192.168.0.1
    2. You domain mail should be sent then from IP 192.168.0.1
    3. Your PTR record for 192.168.0.1 should point to example.com "

    Is this means that if the 3 conditions above have been met the Miss-Match alert in MXToolBox will disappear or only this will affect the servers communications?

    Thank you

    0
    Comment actions Permalink
  • Avatar
    peterbo

    Is there any development in this area? When will the Plesk Premium Email Extension start supporting SNI?

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello peterbo

    There're plans to add SNI support to Premium Email. The exact ETA is to be available later.

    0
    Comment actions Permalink
  • Avatar
    Denis Bykov

    @Hany S. Hanna
    That will address both issues. Some mail providers tend more to consider the mail spam if those conditions aren't met by the sender. Therefore, the warning notice on MXToolBox.

    1
    Comment actions Permalink
  • Avatar
    Felipe Martini

    this is not working yet for plesk premium email? i realy need that someone help me plz im losting my clients cause they cant use outlook

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Felipe Martini,

    Starting from version 16.12, Plesk Premium Email extension supports SNI.

    To enable SNI for the domain with the new or updated mail certificate:

    1. Log in to Plesk
    2. Protect domain with SSL certificate
    3. Install the latest extension updates
    4. Open Plesk Premium Email extension and click Fix button:

    Note: the Fix button should be pressed every time a certificate for mail service is installed or updated.

    0
    Comment actions Permalink
  • Avatar
    Felipe Martini

    O not found This fix button where os that?

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Felipe Martini

    According to the information I have, it should look like below after getting new or updating mail certificate:

    In case this won't work for you I suggest submitting a request to Plesk support.

    0
    Comment actions Permalink
  • Avatar
    awshima

    I was having issues with this configuration, then I found out that you need to configure the email client using the server address in the format "domain.com" or "mail.domain.com", if you use any other name (eg: smtp.domain.com) the server won't return the correct certificate (even with a Let's Encrypt wildcard certificate installed).

    0
    Comment actions Permalink
  • Avatar
    Leonid Gukhman

    @awshima

    Yes, using example.com is the intended way to specify the mail server in the client's settings.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request