Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
Is it possible to secure the mail server mail.example.com with Let's Encrypt SSL certificate when the A record for example.com is pointing to another server?
Answer
Since versions 1.16.0 of the SSL It! extension and 3.2.9 for the Let's Encrypt extension for Plesk were released (14 January 2025), it is possible to secure only the mail.example.com, if example.com is pointed to another server IP via its DNS A record.
Note: This solution can only be applied only if mail.example.com is removed as a separate domain or subdomain from Plesk and the hosting type of the example.com domain in Plesk is changed to No web hosting.
To do so apply the next steps:
2. Navigate to Domains > example.com > Hosting Settings
3. Set the Hosting type to No web hosting:
Warning: All website files will be removed from the directories of this domain by doing this
4. Go to Domains > example.com > SSL/TLS Certificates
5. Issue a Let's Encrypt SSL certificate for example.com by making sure the Secure mail on this domain and Assign the certificate to the mail domain options are checked
If you do not want to change the hosting type of your domain to No web hosting for some reason, you may instead apply one of the following workarounds:
Click on a section to expand
As an alternative, you may purchase an SSL certificate from another SSL vendor (not Let's Encrypt) and install it for your domain by using it while following the steps in this article:
How to install an SSL certificate from 3rd party certificate authorities for a domain in Plesk?
Afterwards, you should set up the SSL to be using for Mail purposes by using the steps on this page of the Plesk Obsidian documentation:
Protecting Webmail and Mail with SSL/TLS Certificates | Plesk Obsidian documentation
Warning: Settings certificate for mail from different domain is temporary solution. Each Let's Encrypt certificate renewal will delete old certificate and new certificate will be issued. Due to that old certificate on example.com will be unchecked. So each Let's Encrypt certificate renewal requires to assign certificate on domain manually or with script again.
- Create a separate web hosting enabled subdomain mail.example.com
- Go to Domains > mail.example.com > Dashboard > SSL/TLS Certificates
- Issue a new and separate Let's Encrypt SSL certificate for this subdomain
- Go to Domains > example.com > Mail > Mail Settings
- Set the SSL/TLS certificate for mail to Let's Encrypt mail.example.com
- Press Apply
Note: In case example.com has no web hosting, it's necessary to create a new separate Subscription for the subdomain mail.example.com.
Comments
4 comments
As Plesk is unable to fix this behaviour for years now I've made a small Script which works around the issue - hope it helps ya all! ;-)
https://github.com/futureweb/Plesk-Postfix-SNI-TLS-Cert-Fixer
i looking for help solution not for another problem
Is this a joke? This makes no sense!
That means we can't sell 'email only' accounts?!
I have one client right now in this situation, and Plesk has created a huge problem for them.
I host hundreds of domains across multiple servers. It’s impractical to monitor when a mail.example.com certificate will renew and manually reassign it—it’s absurd. Please fix this. When a certificate auto-renews and is assigned to mail services, it should be reassigned automatically to avoid client alerts.
Please sign in to leave a comment.