Applicable to:
- Plesk Obsidian for Linux
Symptoms
-
After Let's Encrypt certificate is set for mail SNI using the How to secure a Plesk mail server with different SSL certificates (SNI support) article, default certificate is returned by the mail server instead:
# echo Q | openssl s_client -connect mail.example.com:25 -starttls smtp -servername mail.example.com -showcerts 2>/dev/null | openssl x509 -noout -text | grep 'Subject:|DNS:'
Subject: CN = plesk.example.org
DNS:plesk.example.org -
Following can be found in the
/var/log/maillog
if Postfix debug is enabled:CONFIG_TEXT: postfix/smtpd[43261]: warning: error loading SNI data for mail.example.com: unexpected PEM type: CERTIFICATE REQUEST
postfix/smtpd[43261]: warning: error loading private keys and certificates from: SNI data for mail.example.com: aborting TLS handshake -
The certificate for the mail SNI has a CSR (certificate signing request) in the Postfix SNI configuration:
# postmap -s /var/spool/postfix/plesk/certs | grep 'mail.example.com' | cut -d$'\t' -f2 | base64 -d | head -n1
-----BEGIN CERTIFICATE REQUEST----- -
The certificate also has CSR component supplied in Domain > example.com > SSL/TLS Certificates > Advanced Settings (if SSL It! is installed) > CertificateName
Cause
Product issue:
-
#PPPM-10715 "Fixed issues created by the bug fix PPPM-10715. You can now rename your domain or restore it from a backup—no issues with your mail for a domain will occur."
Fixed in:- Plesk Obsidian 27 August 2019 (Linux)
- Plesk Obsidian 31 July 2019 (Linux)
Resolution
Workaround
If update is not possible for some reason you may try the following
Update to the latest version of Plesk Obsidian.
In case it is not possible to update, use the certificates without CSR supplied (not issued by Let's Encrypt, or SSL It! extensions).
Comments
4 comments
Any Solution here?
I am using Let's encrypt and have latest Updates installed, last check today.
I got Errors in Maillog, TLS SNI XY from XY[xx.xx.xx.xx] not matched, using default chain
Moreover and truly this affects only obsidian. on other older Server no Problems.
I just saw many such fails -.-
Hello @Lenor
The most probable cause of the issue is the fact that many domains use one IP address and the global certificate for a mail from Plesk > Tools & Settings > SSL/TLS Certificates > Certificate for securing mail. So, to use SNI it is necessary to set separate certificates for each domain there Plesk > Domains > example.com > Mail Settings > SSL/TLS certificate for mail.
However, it should not affect email delivery.
After upgrading to Obsidian i was able to create and select a certificate for each domain and its mail service. But these certificates are ignored, because on Tools&Settings -> SSL/TLS there is still the global option for mail certificates and this one is delivered by the mail server.
How do i make plesk use the new certificates i created and assigned to each including for the mail service?
Hello,
is there a solution for this now?
I just migrated my domains from plesk Onyx to Obsidian, using the newest updates. At first, the SNI with the certs was working, but plesk was not secured with a certificate, so I issued one Letsencrypt certificate from my Main domain to secure both, Plesk and the mailserver. From this point on, SNI was enabled but not functional and I cannot switch back to "unsecure".
I checked:
Even the check of https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.de showed: The certificate is used by all components properly Web, FTP, and so on but NOT for the mailserver. I use atm postfix and Courier IMAP and POP3.
Any suggestions how th resolve this? I get complains from my mailusers, that some mailclients are not coping with this BUG and do not send nor receive mails (f.i. Thunderbird, iOs clients)
Best regards, Gunther
Please sign in to leave a comment.