How to verify that SSL for IMAP/POP3/SMTP works and the proper certificate is installed?

Follow

Comments

12 comments

  • Avatar
    Ruben

    I have a domain with ssl certificate. but i have some problems because when i check the certificate always show me plesk default certificate.

    I need the smtp.domain.ltd takes a domain certificate not the plesk default certificate (self signed).

    I think to change the postfix certificate but this is not correct because if i change this default certificate, this certificates apply over all my domains.

    /etc/postfix/postfix_default.pem

    I need to know how to apply this certificate over domain

     

    thanks

  • Avatar
    Lev Iurev

    @Ruben, do you want to secure mail or domain?

  • Avatar
    Ruben

    i want to secure my mail too. At this momment i have secure my domain with a certificate, but when i send a mail my mail sends sign with the default plesk certificate. I want to apply the domain certificate over emails of this domain.

     

    I have multiples domains and multiples certificates but i want to use the same certificate for the domain and its emails.

     

    regards

  • Avatar
    Lev Iurev

    Hi @Ruben, is the problem still actual?

  • Avatar
    Henri Pelkonen

    I have similar problem, as OVH Let's encrypt SSL won't work, and mail certifies by domain always resort to ovh address.

  • Avatar
    Lev Iurev

    @Henri, could you please describe the issue in more details?

  • Avatar
    Markus Wernecke (Edited )

    Hi at all, @Lev lurev , @Alexandr Tumanov ,

    think it could be the same as @Ruben has. "unable to get local issuer certificate"

    I secured Plesk and Email and IPs with the new Lets encrypt option by using serverwide certificate.

    Using postfix, dovecot and horde webmail.

    All domains with certificates by Letsencrypt for domain and webmail.

    But "Log on the server example.com failed". Here is my full output of first command a. from this article

    root@server:~# openssl s_client -showcerts -connect mail.example1.com:993
    CONNECTED(00000003)
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify error:num=20:unable to get local issuer certificate
    ---
    Certificate chain
    0 s:/CN=server.example.eu
    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    -----BEGIN CERTIFICATE-----
    Deleted for security reasons
    2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCB
    ngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkg
    UmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUg
    Q2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQu
    Deleted for security reasons
    -----END CERTIFICATE-----
    1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    -----BEGIN CERTIFICATE-----
    Deleted for security reasons
    DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
    SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
    Deleted for security reasons
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/CN=server.arox.eu
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 3631 bytes and written 433 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: Deleted for security reasons17C1AE10681Deleted for security reasons
    Session-ID-ctx:
    Master-Key: Deleted for security reasonsE211431647DE1Deleted for security reasons
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - Deleted for security reasons
    0010 - 4f c9 38 Deleted for security reasons6f e5
    0020 - e9 91 56Deleted for security reasons43 4f a0
    0030 - Deleted for security reasonsc3 2b 56 c9 57 c9

    0040 - fhoffjopvf Deleted for security reasons

    0050 - 43 5dDeleted for security reasons
    0060 - 7d a4 c9 fa 1a 41Deleted for security reasons
    0070 - d4 4f 28 e5 5cDeleted for security reasons
    0080 - c7 c1 58 3Deleted for security reasons
    0090 - 8d b7 4a 3Deleted for security reasons

    Start Time: 1504287685
    Timeout : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    ---
    * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
    * BYE Disconnected for inactivity.
    closed
    root@server:~# ^C

     

  • Avatar
    Artyom Baranov

    @Markus Wernecke,

    Hi! I could not reproduce the same on my side:

    # openssl s_client -showcerts -connect mail.cosirex.com:993
    CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = server.arox.eu
    verify return:1

    Does the issue still persist?

  • Avatar
    Henri Pelkonen (Edited )

    @Lev Iurev

    Hi,

    For starters I must say I'm very new to this and this is my first server setup with Plesk and mail server.

    Would you recommend 1 serverwide certificate to secure multiple domains or every domain with own sertificate as my vps is with shared IP?

    The problem is that I can't make sertificate now for my OVH vps cause number of *.ovh.net certs are restricted by Let's Encrypt. So should I get a own domain for vps and plesk server and get sertificate to that or could and should I get separate domain name sertificates to work with each domain? As for now the domains seems to show vps plesk self signed certificate even though they are set to Let's Encrypt via Plesk panel.

    Is there a way to force certificates to domain and bypass the plesk certificate and check them after they are set that tey truly are correct? Do I just need some refresh? I have use something like for now:

    true | openssl s_client -connect YOUR-DOMAIN.COM:995 | openssl x509 -noout -text | grep DNS:
  • Avatar
    Artyom Baranov


    @Henri Pelkonen,

    >Would you recommend 1 serverwide certificate to secure multiple domains or every domain with own sertificate as my vps is with shared IP?

    I would use free Let's Encrypt certificates to secure my domains.

    >Is there a way to force certificates to domain and bypass the plesk certificate and check them after they are set that tey truly are correct?

    Make sure that SSL/TLS support is enabled and Let's Encrypt certificate is selected in Domains > example.com > Hosting Settings > Security

    Afterwards, use the following command to check which cert is used for a domain (where example.com is the domain name):

    # openssl s_client -showcerts -servername example.com -connect example.com:443

     

  • Avatar
    Markus Wernecke

    Hi @Artyom Baranov

    Thanks a lot for answering and help.

     openssl s_client -showcerts -connect mail.cosirex.com:993
    CONNECTED(00000003)
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify error:num=20:unable to get local issuer certificate

    Yes, it still exists, connection is made, but then nothing more in delivering.. I wonder why you get another output. the problem is that I have 5 email-addresses under this domain, all emails are not delivered. BUT other domains emails are okay. Important (or not): I use this domain cosirex.com for 1st own DNS with additional shared IP 17.160.167.167 as reverse mapping.

    The standard server IP refers to hostname server.arox.eu as reverse mapping entry, which is usual recommended configuration. The whole Plesk mail system is configured sending over domains Ip addresses ( first option).

    The 2nd own DNS domain, with another additional IP (shared) is working fine with email.

    Here the wrong we are talking about: as an example what I get in Thunderbird (mail returned to sender address info@cosirex.com):

    by Mail Delivery System <MAILER-DAEMON@server.arox.eu> (server hostname)

    subject Undelivered Mail Returned to Sender

    to info@cosirex.com

    This is the mail system at host server.arox.eu.
    
    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.
    
    For further assistance, please send mail to postmaster.
    
    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.
    
                       The mail system
    
    <emailaddress-receiver@t-online.de>: host mx02.t-online.de[194.25.134.9] refused to talk to
        me: 554 IP=217.160.167.167 - A problem occurred. (Ask your postmaster for
        help or to contact tosa@rx.t-online.de to clarify.) (BL)
    
     
     
    Reporting-MTA: dns; server.arox.eu
    X-Postfix-Queue-ID: A0ED2200127
    X-Postfix-Sender: rfc822; info@cosirex.com
    Arrival-Date: Thu,  3 Aug 2017 15:15:44 +0200 (CEST)
    
    Final-Recipient: rfc822; emailaddress-receiver@t-online.de
    Original-Recipient: rfc822;emailaddress-receiver@t-online.de
    Action: failed
    Status: 4.0.0
    Remote-MTA: dns; mx02.t-online.de
    Diagnostic-Code: smtp; 554 IP=217.160.167.167 - A problem occurred. (Ask your
        postmaster for help or to contact tosa@rx.t-online.de to clarify.) (BL)
    
     
    ForwardedMessage.eml
  • Avatar
    Artyom Baranov

    @Markus Wernecke,

    Hi! I suggest checking /var/log/maillog to define the reason why emails are not delivered.

    I believe you will find the solution in one of our mail-related KB articles.

Please sign in to leave a comment.