Unable to set SNI certificates for mail (Postfix) using Let's Encrypt certificates

Follow

Comments

4 comments

  • Avatar
    Lenor (Edited )

    Any Solution here?

    I am using Let's encrypt and have latest Updates installed, last check today. 

    I got Errors in Maillog, TLS SNI XY from XY[xx.xx.xx.xx] not matched, using default chain

     

    Moreover and truly this affects only obsidian. on other older Server no Problems. 

    I just saw many such fails -.-

    0
    Comment actions Permalink
  • Avatar
    Eser Esen

    After upgrading to Obsidian i was able to create and select a certificate for each domain and its mail service. But these certificates are ignored, because on Tools&Settings -> SSL/TLS there is still the global option for mail certificates and this one is delivered by the mail server.

    How do i make plesk use the new certificates i created and assigned to each including for the mail service?

    0
    Comment actions Permalink
  • Avatar
    Gunther Bigl

    Hello,

    is there a solution for this now?

    I just migrated my domains from plesk Onyx to Obsidian, using the newest updates. At first, the SNI with the certs was working, but plesk was not secured with a certificate, so I issued one Letsencrypt certificate from my Main domain to secure both, Plesk and the mailserver. From this point on, SNI was enabled but not functional and I cannot switch back to "unsecure".

    I checked:

     grep SNI_SUPPORT /etc/psa/psa.conf
    answer -> SNI_SUPPORT true

    Even the check of https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.de showed: The certificate is used by all components properly Web, FTP, and so on but NOT for the mailserver. I use atm postfix and Courier IMAP and POP3.

    Any suggestions how th resolve this? I get complains from my mailusers, that some mailclients are not coping with this BUG and do not send nor receive mails (f.i. Thunderbird, iOs clients)

     

    Best regards, Gunther

    0
    Comment actions Permalink
  • Avatar
    Alexey Lapshin

    Hello @Lenor

    The most probable cause of the issue is the fact that many domains use one IP address and the global certificate for a mail from Plesk > Tools & Settings > SSL/TLS Certificates > Certificate for securing mail. So, to use SNI it is necessary to set separate certificates for each domain there Plesk > Domains > example.com > Mail Settings > SSL/TLS certificate for mail.

    However, it should not affect email delivery.

    -1
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request