Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to secure the webmail with a Let's Encrypt certificate in Plesk?
Answer
Note: If the SSL It! extension is not installed on the server, the domain must have hosting enabled to be able to install a Let's Encrypt certificate.
Perform the following instructions:
-
Go to Subscriptions > example.com and make sure that a wildcard domain
*.example.comorwebmail.example.comare not present on the subscription.If any, rename or remove it, otherwise it'll not be possible to issue a Let's Encrypt certificate for
webmail.example.comdomain. -
Issue the Let's Encrypt certificate including the webmail domain under to Domains > example.com > SSL/TLS Certificates > Install > Make sure the option Secure webmail on this domain is enabled > Get it free:
Note: If it is required to secure other subdomains or domain aliases, make sure to select them
Click here to see the image
- Go to Domains > example.com > Mail Settings > Verify that the Let's Encrypt certificate is assigned in SSL/TLS certificate for webmail > Click OK to apply changes:
Click here to see the image
Comments
15 comments
You should place a redirect from http://webmail.domain.tld to https. Even the option "Hosting Settings > Permanent SEO-safe 301 redirect from HTTP to HTTPS" won't redirect the webmail; in any case these should be two separate options as the website may not support HTTPS yet.
There is an UI bug too: selecting a certificate already used for securing webmail and hitting "Secure webmail" will freeze the interface.
Hello,
There is no "redirect to https for webmail" feature in Plesk yet, but you can vote for it on UserVoice portal:
https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/18515065-possibility-to-force-ssl-on-webmail
And as a workaround, you can force https connection in Roundcube configuration file as it described here
Or use the following article to make a redirect on the level of Apache:
How to redirect webmail HTTP to HTTPS
As for the UI, I could not reproduce the same on my test server with newly installed Plesk Onyx 17.5. The following notification is shown after selecting the certificate which is already used for securing webmail on domain:
PLESK_INFO: The webmail was secured with the selected certificate. Important: webmail now works via HTTPS only, correct your bookmarks, links, and so on.
So, please submit a ticket for support in order to check if the issue persists on your server:
How to submit a request to Plesk Technical Support
Hello,
is it possible to secure only webmail.example.com even if it's domain example.com and www.example.com pointed to other sever?
Regards,
...
Hello @Miha,
Let's encrypt extension does not support such scenario.
Hello, in our server the webmail is mail.example.com and not webmail.exmple.com . Is it possible to use this feature to secure it or is it specifically for the given subdomain?
Hello @Aristeidis Vlachopanos,
The default URL for webmail is indeed webmail.example.com. The instructions specified here are for this URL.
This article is not applicable to non-standart webmail URL, configured using this workaround.
Can Let's Encrypt be used to secure ONLY webmail?
Hello @David Hubbard
Following steps from the article, you can choose Let's Encrypt certificate to secure webmail. Then, in Hosting Settings of the domain, you can specify another SSL certificate from the domain's repository to be used for the main website.
I have it two times!
Case:
- Maindomain Cert: Paid certificate
- Webmail Only: LetsEncrypt
Problem: Lets Encrypt certificate will not be automaticly renewd(but oll other only letscrypt domains)
Hi destan40,
Just as a curiosity, won't it be easier now that you have a paid certificate on the main domain to also secure webmail with such cert?
If it's in another server, you could still create it on Plesk, and assign it to webmail too. I mean, it could also be done through API.
That is generally not cost effective; most SSL providers will not sell you a cert that includes the TLD, www, as well as a SAN of webmail., mail., or whatever else, unless you move up into a much more expensive cert. That's why most people would like to have a paid cert on the primary website and LE certs on all the other services, development subdomains, etc.
Hello
How does that work if using smartermail remote server? should webmail.yourdomain.com point to plesk hosting shared ip address and than the IIS would redirect it to the remote smartermail server?
ps: please vote for: https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/40257052-webhosting-migration-windows-with-central-smarterm
Hi Chris Mayer,
Correct. Let's Encrypt only needs the webmail.domain.com to resolve to the Plesk server in order to issue the certificate.
Ivan Postnikov - sorry for digging out an old thread. What are some solutions if the main domain is used for an external resource (Shopify shop, other A record somewhere else) but we still use the email for the domain... You say we can't secure only webmail without the main domain, so what are some solutions to get a secured webmail subdomain when the main domain is hosted elsewhere? thanks!
Hello airplanenoise
Try this instruction.
Please sign in to leave a comment.