Applicable to:
- Plesk 12.5 for Linux
- Plesk Onyx for Linux
- Plesk 11.x for Linux
- Plesk 12.0 for Linux
Question
How to verify that SSL for IMAP/POP3/SMTP works and proper certificate is installed?
Answer
Note: To change the default certificates, visit How to сhange the default certificates for SMTP, IMAP, and POP3 over SSL article.
Without SSH connection
Online SSL test can be performed on https://www.ssllabs.com/ssltest/ also, however, manual test gives direct result and more complete as SSLLabs does not test IMAP SSL.
Using SSH connection to any server
Any other Linux server can be used to test your one. If you don't have another Linux server, use online test above or try finding online Linux shells.
To do this, you should be connected to any Linux server via SSH.
To verify SSL please use the following commands:
-
IMAP via SSL uses 993 port by default:
a. connect to mail server using
openssl:# openssl s_client -showcerts -connect mail.example.com:993
b. Check output and make sure that valid certificate is shown:
CONFIG_TEXT: Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2c. Make sure that you received IMAP server response:
CONFIG_TEXT: * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=PLAIN IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information.
-
POP3 via SSL uses 995 port by default:
a. connect to mail server using
openssl:# openssl s_client -showcerts -connect mail.example.com:995
b. Check output and make sure that valid certificate is shown:
CONFIG_TEXT: Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2c. Make sure that you received POP3 server response:
CONFIG_TEXT: +OK Hello there. <1793.1385684315@localhost.localdomain>
-
SMTP via SSL uses 465 port by default:
a. connect to mail server using
openssl:# openssl s_client -showcerts -connect mail.example.com:465
b. Check output and make sure that valid certificate is shown:
CONFIG_TEXT: Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2c. Make sure that you received SMTP server response:
CONFIG_TEXT: 220 mail.example.com ESMTP Postfix
Comments
12 comments
I have a domain with ssl certificate. but i have some problems because when i check the certificate always show me plesk default certificate.
I need the smtp.domain.ltd takes a domain certificate not the plesk default certificate (self signed).
I think to change the postfix certificate but this is not correct because if i change this default certificate, this certificates apply over all my domains.
/etc/postfix/postfix_default.pemI need to know how to apply this certificate over domainthanks@Ruben, do you want to secure mail or domain?
i want to secure my mail too. At this momment i have secure my domain with a certificate, but when i send a mail my mail sends sign with the default plesk certificate. I want to apply the domain certificate over emails of this domain.
I have multiples domains and multiples certificates but i want to use the same certificate for the domain and its emails.
regards
Hi @Ruben, is the problem still actual?
I have similar problem, as OVH Let's encrypt SSL won't work, and mail certifies by domain always resort to ovh address.
@Henri, could you please describe the issue in more details?
Hi at all, @Lev lurev , @Alexandr Tumanov ,
think it could be the same as @Ruben has. "unable to get local issuer certificate"
I secured Plesk and Email and IPs with the new Lets encrypt option by using serverwide certificate.
Using postfix, dovecot and horde webmail.
All domains with certificates by Letsencrypt for domain and webmail.
But "Log on the server example.com failed". Here is my full output of first command a. from this article
root@server:~# openssl s_client -showcerts -connect mail.example1.com:993
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=server.example.eu
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
Deleted for security reasons
2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCB
ngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkg
UmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUg
Q2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQu
Deleted for security reasons
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
Deleted for security reasons
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
Deleted for security reasons
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=server.arox.eu
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3631 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: Deleted for security reasons17C1AE10681Deleted for security reasons
Session-ID-ctx:
Master-Key: Deleted for security reasonsE211431647DE1Deleted for security reasons
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - Deleted for security reasons
0010 - 4f c9 38 Deleted for security reasons6f e5
0020 - e9 91 56Deleted for security reasons43 4f a0
0030 - Deleted for security reasonsc3 2b 56 c9 57 c9
0040 - fhoffjopvf Deleted for security reasons
0050 - 43 5dDeleted for security reasons
0060 - 7d a4 c9 fa 1a 41Deleted for security reasons
0070 - d4 4f 28 e5 5cDeleted for security reasons
0080 - c7 c1 58 3Deleted for security reasons
0090 - 8d b7 4a 3Deleted for security reasons
Start Time: 1504287685
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.
* BYE Disconnected for inactivity.
closed
root@server:~# ^C
@Markus Wernecke,
Hi! I could not reproduce the same on my side:
Does the issue still persist?
@Lev Iurev
Hi,
For starters I must say I'm very new to this and this is my first server setup with Plesk and mail server.
Would you recommend 1 serverwide certificate to secure multiple domains or every domain with own sertificate as my vps is with shared IP?
The problem is that I can't make sertificate now for my OVH vps cause number of *.ovh.net certs are restricted by Let's Encrypt. So should I get a own domain for vps and plesk server and get sertificate to that or could and should I get separate domain name sertificates to work with each domain? As for now the domains seems to show vps plesk self signed certificate even though they are set to Let's Encrypt via Plesk panel.
Is there a way to force certificates to domain and bypass the plesk certificate and check them after they are set that tey truly are correct? Do I just need some refresh? I have use something like for now:
@Henri Pelkonen,
>Would you recommend 1 serverwide certificate to secure multiple domains or every domain with own sertificate as my vps is with shared IP?
I would use free Let's Encrypt certificates to secure my domains.
>Is there a way to force certificates to domain and bypass the plesk certificate and check them after they are set that tey truly are correct?
Make sure that SSL/TLS support is enabled and Let's Encrypt certificate is selected in Domains > example.com > Hosting Settings > Security
Afterwards, use the following command to check which cert is used for a domain (where example.com is the domain name):
Hi @Artyom Baranov
Thanks a lot for answering and help.
Yes, it still exists, connection is made, but then nothing more in delivering.. I wonder why you get another output. the problem is that I have 5 email-addresses under this domain, all emails are not delivered. BUT other domains emails are okay. Important (or not): I use this domain cosirex.com for 1st own DNS with additional shared IP 17.160.167.167 as reverse mapping.
The standard server IP refers to hostname server.arox.eu as reverse mapping entry, which is usual recommended configuration. The whole Plesk mail system is configured sending over domains Ip addresses ( first option).
The 2nd own DNS domain, with another additional IP (shared) is working fine with email.
Here the wrong we are talking about: as an example what I get in Thunderbird (mail returned to sender address info@cosirex.com):
by Mail Delivery System <MAILER-DAEMON@server.arox.eu> (server hostname)
subject Undelivered Mail Returned to Sender
to info@cosirex.com
This is the mail system at host server.arox.eu. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <emailaddress-receiver@t-online.de>: host mx02.t-online.de[194.25.134.9] refused to talk to me: 554 IP=217.160.167.167 - A problem occurred. (Ask your postmaster for help or to contact tosa@rx.t-online.de to clarify.) (BL)@Markus Wernecke,
Hi! I suggest checking /var/log/maillog to define the reason why emails are not delivered.
I believe you will find the solution in one of our mail-related KB articles.
Please sign in to leave a comment.