- Plesk Obsidian for Linux
After Let's Encrypt certificate is set for mail SNI using the How to secure a Plesk mail server with different SSL certificates (SNI support) article, default certificate is returned by the mail server instead:
# echo Q | openssl s_client -connect mail.example.com:25 -starttls smtp -servername mail.example.com -showcerts 2>/dev/null | openssl x509 -noout -text | grep 'Subject:|DNS:'
Subject: CN = plesk.example.org
Following can be found in the
/var/log/maillogif Postfix debug is enabled:
CONFIG_TEXT: postfix/smtpd: warning: error loading SNI data for mail.example.com: unexpected PEM type: CERTIFICATE REQUEST
postfix/smtpd: warning: error loading private keys and certificates from: SNI data for mail.example.com: aborting TLS handshake
The certificate for the mail SNI has a CSR (certificate signing request) in the Postfix SNI configuration:
# postmap -s /var/spool/postfix/plesk/certs | grep 'mail.example.com' | cut -d$'\t' -f2 | base64 -d | head -n1
-----BEGIN CERTIFICATE REQUEST-----
The certificate also has CSR component supplied in Domain > example.com > SSL/TLS Certificates > Advanced Settings (if SSL It! is installed) > CertificateName
This is a Plesk bug with ID PPPM-10715, which is planned to be fixed in one of the future product updates.
As a workaround, use the certificates without CSR supplied (not issued by Let's Encrypt, or SSL It! extensions).