Unable to set SNI certificates for mail (Postfix) using Let's Encrypt certificates




  • Avatar
    Lenor (Edited )

    Any Solution here?

    I am using Let's encrypt and have latest Updates installed, last check today. 

    I got Errors in Maillog, TLS SNI XY from XY[xx.xx.xx.xx] not matched, using default chain


    Moreover and truly this affects only obsidian. on other older Server no Problems. 

    I just saw many such fails -.-

    Comment actions Permalink
  • Avatar
    Alexey Lapshin

    Hello @Lenor

    The most probable cause of the issue is the fact that many domains use one IP address and the global certificate for a mail from Plesk > Tools & Settings > SSL/TLS Certificates > Certificate for securing mail. So, to use SNI it is necessary to set separate certificates for each domain there Plesk > Domains > example.com > Mail Settings > SSL/TLS certificate for mail.

    However, it should not affect email delivery.

    Comment actions Permalink
  • Avatar
    Eser Esen

    After upgrading to Obsidian i was able to create and select a certificate for each domain and its mail service. But these certificates are ignored, because on Tools&Settings -> SSL/TLS there is still the global option for mail certificates and this one is delivered by the mail server.

    How do i make plesk use the new certificates i created and assigned to each including for the mail service?

    Comment actions Permalink
  • Avatar
    Gunther Bigl


    is there a solution for this now?

    I just migrated my domains from plesk Onyx to Obsidian, using the newest updates. At first, the SNI with the certs was working, but plesk was not secured with a certificate, so I issued one Letsencrypt certificate from my Main domain to secure both, Plesk and the mailserver. From this point on, SNI was enabled but not functional and I cannot switch back to "unsecure".

    I checked:

     grep SNI_SUPPORT /etc/psa/psa.conf
    answer -> SNI_SUPPORT true

    Even the check of https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.de showed: The certificate is used by all components properly Web, FTP, and so on but NOT for the mailserver. I use atm postfix and Courier IMAP and POP3.

    Any suggestions how th resolve this? I get complains from my mailusers, that some mailclients are not coping with this BUG and do not send nor receive mails (f.i. Thunderbird, iOs clients)


    Best regards, Gunther

    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request