Applicable to:
- Plesk for Linux
Question
How to verify that SSL for IMAP/POP3/SMTP works and a proper certificate is installed?
Answer
Using online checkers
Check SSL using online tools:
- ImmuniWeb® SSLScan
- SSL Checker - SSL Certificate Verify
- SSL Server Test (Powered by Qualys SSL Labs)
Using a Linux server
Any Linux server can be used for these tests. If you do not have a Linux server, use the online checkers above.
To verify SSL, connect to any Linux server via SSH and use the instructions below:
-
connect to a mail server using
openssl
:# openssl s_client -showcerts -connect mail.example.com:993 -servername mail.example.com
-
Check output and make sure that a valid certificate is shown:
CONFIG_TEXT: Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 -
Make sure that you received IMAP server response:
CONFIG_TEXT: * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=PLAIN IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information.
-
Connect to a mail server using
openssl
:# openssl s_client -showcerts -connect mail.example.com:995 -servername mail.example.com
-
Check output and make sure that a valid certificate is shown:
CONFIG_TEXT: Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 -
Make sure that you received POP3 server response:
CONFIG_TEXT: +OK Hello there. 1793.1385684315@localhost.localdomain
-
Connect to a mail server using
openssl
:# openssl s_client -showcerts -connect mail.example.com:**465 ** -servername mail.example.com
-
Check output and make sure that a valid certificate is shown:
CONFIG_TEXT: Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 -
Make sure that you received SMTP server response:
CONFIG_TEXT: 220 mail.example.com ESMTP Postfix
Note: To use port 587 the submission port should be enabled in Plesk:
-
Connect to a mail server using
openssl
:# openssl s_client -starttls smtp -showcerts -connect mail.example.com:25 -servername mail.example.com
-
Check output and make sure that a valid certificate is shown:
CONFIG_TEXT: Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 -
Make sure that you received SMTP server response:
CONFIG_TEXT: 250 DSN
Comments
7 comments
I have similar problem, as OVH Let's encrypt SSL won't work, and mail certifies by domain always resort to ovh address.
@Henri, could you please describe the issue in more details?
@Lev Iurev
Hi,
For starters I must say I'm very new to this and this is my first server setup with Plesk and mail server.
Would you recommend 1 serverwide certificate to secure multiple domains or every domain with own sertificate as my vps is with shared IP?
The problem is that I can't make sertificate now for my OVH vps cause number of *.ovh.net certs are restricted by Let's Encrypt. So should I get a own domain for vps and plesk server and get sertificate to that or could and should I get separate domain name sertificates to work with each domain? As for now the domains seems to show vps plesk self signed certificate even though they are set to Let's Encrypt via Plesk panel.
Is there a way to force certificates to domain and bypass the plesk certificate and check them after they are set that tey truly are correct? Do I just need some refresh? I have use something like for now:
@Henri Pelkonen,
>Would you recommend 1 serverwide certificate to secure multiple domains or every domain with own sertificate as my vps is with shared IP?
I would use free Let's Encrypt certificates to secure my domains.
>Is there a way to force certificates to domain and bypass the plesk certificate and check them after they are set that tey truly are correct?
Make sure that SSL/TLS support is enabled and Let's Encrypt certificate is selected in Domains > example.com > Hosting Settings > Security
Afterwards, use the following command to check which cert is used for a domain (where example.com is the domain name):
is it normal that when i request:
openssl s_client -showcerts -connect mail.example.com:995
i recieve my server certificate:
s:/CN=my.server.com
???
the first address is for a client, and they use my.server.com as an address for using IMAP and SMTP, not there domain name
Hello @Alaa Mansour,
This report depends on a certificate selected for securing mail in Plesk:
How to secure a Plesk mail server with an SSL certificate (Let's Encrypt / other certificate authorities)?
You have selected a certificate issued for the server hostname for the "Certificate for securing mail" at the "Plesk > Tools & Settings > SSL/TLS certificates" page, thus, you receive the next output:
If you select certificate issued for a website, e.g. example.com, for securing mail, the output will be the following:
Keep in mind that an SSL certificate secures the entire mail server and all domains on it. Currently, it is not possible to secure domains in Plesk with a separate SSL certificate for the mail server
Adding to @Nikita Nikushkin note, vary his nice example with
...presuming standard ports of course.
Also, while the original article mentions using some online TLS check tools (and the Qualys 'Server Test' is particularly good, these test certificates on a web server, not Email.
For a very good online Email TLS check I'd recommend https://www.checktls.com/ which gives you a complete check on TLS setup to mail send/receive on your mail server. It doesn't test client protocols though like POP3 or IMAP.
Please sign in to leave a comment.