• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Paid SSL Certificate not working for Mailserver

FloLa

Basic Pleskian
Server operating system version
Debian 9.13
Plesk version and microupdate number
Plesk Obsidian v18.0.44_build1800220614.18 os_Debian 9.0
I have a wildcard SSL certificate which secures my domain, I have imported this normally and everything works well so far, but if I now try to select the same certificate for sending an email, then when I send an email I only get the message that the email cannot be delivered.
If I then select the normal free Lets Encrypt certificate, sending and receiving emails works normally again.

Is there any setting which i especially have to set to get it working or how can I renew the lets encrypt certificate ONLY for sending and receiving emails.
 
Update: I committed myself above, it is not a wildcard SSL certificate but a basic which is also prepared by the manufacturer to protect email traffic.

Receiving emails works now but sending them still doesn't work. In the log I get the following error with the paid certificate (with the free lets encrypt I don't get this error):

imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46 (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<UQ1zqcHj5MMu986H>
 
Update: If I connect via ssh and execute following command while activating the lets encrypt certificate:

echo | openssl s_client -servername xxx.com -connect xxx.com:465 2>/dev/null | openssl x509 -text

I get the output what I expect (the certificate data)

Certificate: Data: Version: 3 (0x2) Serial Number: 04:95:75:a0:cd:fa:b5:64:e5:bc:2c:0d:1b:dd:c6:1f:31:d5 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: Apr 15 05:01:00 2022 GMT Not After : Jul 14 05:00:59 2022 GMT ...

But if I run this with the paid certificate, I get following error:

unable to load certificate 139842928173120:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE

Does anyone know how to fix this error?
 
I checked it with the following one: CheckTLS TestReceiver

Result:

[000.386]STARTTLS command works on this server [001.484]Cannot convert to SSL (reason: SSL connect attempt failed error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error) [001.484]Note: This same test with Format set to "Debug" may show more [001.485]Cannot proof email address (reason: MAIL FROM rejected) [001.485]Note: This does not affect the CheckTLS Confidence Facto


On the same server I have another domain which has a wildcard SSL certificate and a mail server, if I try to use the wildcard certificate for email protection with this domain, everything works fine, so it really only doesn't work with the domain SSL certificate. (not wilcard)

Edit: With the wildcard one on the other domain it works for sending and receiving mails, but I get the same error on the check as above, with the free let's encrypt one I dont get any error.
 
looks a bit like you forgot the chain/intermediate certificate or added a wrong one?

A website like Mailserver encryption test (STARTTLS, TLS and PFS) · SSL-Tools can help identify this.
not exactly, as the mailserver refuses to start negotiation when it finds something wrong with the certificate, and the website certainly can't read the certificate files (and you should never give them to anyone, anyway).
So when you already know it fails, the website can't give you any additional information.
 
Back
Top