- Plesk for Linux
How to change the default certificates for SMTP, IMAP, and POP3 over SSL?
Note: In Plesk Onyx it is possible to secure Mail Server with Free Let's Encrypt certificate. Additional information can be found in How to secure mail server with Let's Encrypt certificate
The certificate for SMTP over SSL is located in the following files:
- For Postfix MTA:
- For QMail MTA:
- For Dovecot:
- For a Courier-IMAP server (for IMAP4 and POP3 over SSL):
If some files were not found using the paths above, it means that the service is not installed.
By default, these are self-signed certificates for Plesk which are generated during the Plesk installation. If it is required to set up own certificates, copy and paste new certificate and private key to the appropriate files (create a backup before changing any files) and restart the
courier-imap/dovecot services (for Plesk version 9.x and later):
# /usr/local/psa/admin/sbin/mailmng --restart-service
The certificate must contain name of the domain it was issued for. This is to avoid a warning that the certificate name does not match that of the host mail client is connecting to. For example, if the certificate was issued for
example.com should be specified as the connection string in mail client preferences for SMTP/POP3/IMAP servers.
Note: There is a single certificate for each of these services: SMTP, IMAP, and POP3 over SSL. Multiple certificates cannot be used for multiple Plesk domains. The best chain recommended by Plesk is Postfix+Dovecot.
/var/qmail/control/servercert.pem should include:
- The Private Key
- The primary certificate
- The intermediate certificate
- The root certificate
Make sure that the begin and end tags of the key are included, along with the dash lines. The resulting text should look like:
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key here)
-----END RSA PRIVATE KEY-----
(Your Primary SSL certificate here)
(Your Intermediate certificate here)
(Your Root certificate here)
The body of the SSL certificate in
/usr/share/pop3d.pem should look like:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
The SSL certificate can only be installed together with the appropriate Private Key that was generated with Certificate Signed Request (CSR) used by the Certificate Authority to generate the certificate. The private key is only stored on the server, and this cannot be rebuilt to match an existing certificate.
If the private key has been lost, the certificate can no longer be installed.
To install the SSL certificate, find the private key. If this is not possible to locate the private key, contact the Certificate Authority who issued the certificate. They will reissue the SSL certificate.
Refer the following KB article to install SSL certificate issued for domain: