Articles in this section

How to assign an SSL certificate per domain to secure the mail server in Plesk (SNI support)?

Vincent Lauton
Updated
ext: le Plesk Obsidian for Linux Plesk Obsidian for Windows ABT: Group B kb: auxiliary

Applicable to:

  • Plesk Obsidian for Linux
  • Plesk Obsidian for Windows

Question

How to assign an SSL certificate per domain to secure the mail server in Plesk (SNI support)?

Answer

Requirements

Plesk Mail Server Operating System
Plesk Obsidian for Windows MailEnable 10.20 and above

All currently supported operating systems
Plesk Obsidian for Linux Postfix + Dovecot

All currently supported operating systems

Warning: If you're switching from Courier to Dovecot be aware of potential issues.

  1. Log into Plesk

  2. Issue a Let's Encrypt certificate for a domain, or upload a paid certificate

  3. For each of the domains that should have a separate mail certificate, navigate to Domains > example.com > Mail > Mail Settings

  4. Select the domain's certificate in SSL/TLS certificate for mail dropdown:

    mceclip0.png

  5. Click on Apply

  6. Verify that the separate mail certificate is used:

    • On Windows:

      1. Connect to the server via RDP

      2. Run OpenSSL with the mail server's domain and check the certificate's CN field:

        PS echo 'Q' | plesk sbin openssl s_client -connect localhost:465 -servername example.com -showcerts 2>&1 | SLS -Pattern 'CN=[^/]+' | % { $_.Matches } | % { $_.Value } | Get-Unique
        CN=example.com

    • On Linux:

      1. Connect to the server via SSH

      2. Run OpenSSL with the mail server's domain and check the certificate's CN field:

        # echo 'Q' | openssl s_client -connect localhost:465 -servername example.com -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq
        CN=example.com

Was this article helpful?

Comments

2 comments
Date Votes
  • Avatar
    Ilya Ladygin
    (Edited )

    this command didn't worked for me: 

    echo 'Q' | openssl s_client -connect localhost:465 -servername example.com -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq

    i have to modify this part: grep -Eo 'CN=[^/]+' into grep -Eo 'CN\s*=[^/]+' because of space char before "="

    also, new command:

    echo 'Q' | openssl s_client -connect localhost:465 -servername example.com -showcerts 2>&1 | grep -Eo 'CN\s*=[^/]+' | uniq

     

    0
  • Avatar
    B Pfl
    (Edited )

    A remaining problem is the following: 

    Assume that we have a server server.example.com running Plesk. This server manages multiple domains, including example.com. 

    From times where SNI for outgoing mails was impossible, some clients still use server.example.com as a smtp smarthost address. When opening a connection to the default server name (server.example.com), Postfix complains: 

    server postfix/smtpd[processnumber]: TLS SNI server.example.com from connect-ing-client-name[client IP] not matched, using default chain

    ```postmap -s /var/spool/postfix/plesk/certs | awk '{print $1}'``` shows entries for mail.domain.com and domain.com, but not server.domain.com. So what is missing is that /var/spool/postfix/plesk/certs also contains an entry for the domains for which Plesk automatically (https://docs.plesk.com/en-US/obsidian/administrator-guide/plesk-administration/securing-plesk/securing-plesk-and-the-mail-server-with-ssltls-certificates.59466/) has created TLS certificates.
    This is actually also recommended practice according to https://www.postfix.org/postconf.5.html#tls_server_sni_maps: "Note that the SNI lookup tables should also have entries for the domains that correspond to the Postfix SMTP server's default certificate(s). This ensures that the remote SMTP client's TLS SNI extension gets a positive response when it specifies one of the Postfix SMTP server's default domains, and ensures that the Postfix SMTP server will not log an SNI name mismatch for such a domain." 

    0

Please sign in to leave a comment.