• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Can't get to secure my mail

4dnan

New Pleskian
Hello,

So I tried both with Let's Encrypt and Godaddy certificates.

Basically I have a domain on Godaddy and Plesk running on an AWS Lightsail server with Plesk Onyx.

The domain itself is Omnielle.com and the MX record points to Omnielle.com aswell.

Using either of the two certificates I was able to secure webmail but not mail itself, which means that mail clients such as Gmail will show a message that my mail isn't secure.

Any idea how I can solve it? Thank you.
 
Have you followed the steps described in the following article:

How to secure a Plesk mail server with an SSL certificate (Let's Encrypt / other certificate authorities)

and encountered errors? If so, what exactly went wrong?
Hello, thanks for your answer.

Yes, I have followed the steps in the article many times for 2 hours, trying with Let's Encrypt and Godaddy certificates to no avail.

I'm wondering ... does Plesk assume that my mail must be on a different subdomain? I see many examples use mail.domain.com, but I use my regular domain for mail (i.e. domain.com without mail. prefix).

Hope that helps us identify the problem.
 
Ok, a couple of observations:

- your domain has no MX record
- the SMTP server at omnielle.com supports STARTTLS and responds with a certificate issued by Godaddy, valid for omnielle.com and www.omnielle.com
- reverse DNS (rDNS) for your IP points to ec2-35-181-65-132.eu-west-3.compute.amazonaws.com and the subdomain correctly points back to the IP.

My guess is that you've successfully installed the mail server certificate and the actual issue you're having is a missing MX record. If you intend to use "omnielle.com" for everything, then the MX record for omnielle.com should point to omnielle.com.

Besides that, having a generic hostname (although with a properly configured rDNS) could cause problems with some 3rd party mail servers, such a gmx.de. If you prefer to use "omnielle.com" for everything, I suggest changing your hostname to "omnielle.com", but do this only if you have the ability to change the rDNS to point to omnielle.com.


As for your question in regards to Plesk, I believe the usual practice is the following:
- create a proper hostname for the server, for example server.example.com
- make sure the hostname resolves to a correct IP
- create a rDNS for the IP pointing to the hostname
- generate a SSL certificate for the hostname and use it also for the control panel access and the mail servers
- each domain hosted uses its own mail exchanger (MX), eg. mail.example-customer.com, mail.example-customer2.com, etc.

For now, customers should use the actual hostname of the server for the incoming and outgoing mail servers in their email clients, or, they should be aware that the mail server certificate will not be valid should they choose to use mail.example-customer.com instead (which would otherwise be preferred). Hopefully, this will change in the next version of Plesk.
 
My guess is that you've successfully installed the mail server certificate and the actual issue you're having is a missing MX record. If you intend to use "omnielle.com" for everything, then the MX record for omnielle.com should point to omnielle.com.

Thanks for your message. I have double checked my MX record and set it up. It now points to omnielle.com correctly but my guess is that it previously did as-well.

Now the Gmail apps shows a "Certificate not valid" error instead. The error is unfortunately not very verbose.

I checked my MX record here: omnielle.com Domain Health
 
Perhaps it was a temporary issue with DNS resolution. This was the DNS response previously:
Code:
# dig mx omnielle.com

; <<>> DiG 9.14.4 <<>> mx omnielle.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65280
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;omnielle.com.                  IN      MX

;; AUTHORITY SECTION:
omnielle.com.           600     IN      SOA     ns25.domaincontrol.com. dns.jomax.net. 2019080401 28800 7200 604800 600

;; Query time: 39 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Aug 05 14:08:08 CEST 2019
;; MSG SIZE  rcvd: 109

and this is now:

Code:
# dig mx omnielle.com

; <<>> DiG 9.14.4 <<>> mx omnielle.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25294
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;omnielle.com.                  IN      MX

;; ANSWER SECTION:
omnielle.com.           1800    IN      MX      10 omnielle.com.

;; AUTHORITY SECTION:
omnielle.com.           3600    IN      NS      ns25.domaincontrol.com.
omnielle.com.           3600    IN      NS      ns26.domaincontrol.com.

;; ADDITIONAL SECTION:
omnielle.com.           600     IN      A       35.181.65.132
ns26.domaincontrol.com. 132907  IN      A       173.201.70.13
ns25.domaincontrol.com. 80246   IN      A       97.74.102.13

;; Query time: 43 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Aug 05 20:12:17 CEST 2019
;; MSG SIZE  rcvd: 157

but to continue, your mail server does respond with the intended certificate, but it seems to be missing the intermediate CA:

Code:
# openssl s_client -starttls smtp -showcerts -connect omnielle.com:25
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = omnielle.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = omnielle.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=omnielle.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
<cut for brevity>
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=omnielle.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3078 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E1C931B060BE9C2D4D5017C56DB48833B873CB7F7240BE7378C92B5217699E3D
    Session-ID-ctx:
    Master-Key: 5022A16FDF7B04FC20F276252D836B8E0BC80D362625ED92CCAD0223E98D714F36B07B52261BDBF6AB3857A248D6866E
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    <cut for brevity>
    Start Time: 1565026283
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 DSN

I suggest filling all three form fields when uploading the Goddady certificate in Plesk, including the CA certificate (*-ca.crt) field. Godady must have provided the correct CA crt along with your domain certificate, perhaps just as a link to a download URL.

If unsure, try using the "GoDaddy Class 2 Certification Authority Root Certificate - G2", gdroot-g2.crt from their repository.
 
Hello,

Unfortunately after adding the CA certificate, the error still persists. How annoying.

I appreciate your help. What do you suggest?

Edit: I found the intermediate CA certificate in the zip file in which came the certificate itself, everything finally worked!

Tested it on SSL Certificate Checker - Diagnostic Tool | DigiCert.com and all is green.

Many thanks!
 
Last edited:
Back
Top