• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Resolved Email Problems Using Let's Encrypt

Eoin Redmond

Eoin Redmond

New Pleskian
Hi,

The default self signed SSL that is created during the Plesk installation expired today so we used Let's Encrypt to secure Plesk and mail...

attachment1.png

The problem is that now we cannot send or receive email over SSL on any domain on any email client - the error from Thunderbird is...

attachment2.png

We're using Let's Encrypt 2.4.0 and Plesk Onyx Version 17.0.17

Email on all domains was working perfectly until the default self signed SSL expired.

We'd appreciate it if anybody could point us in the right direction.

Thanks

Eoin
 

Attachments

  • liam-iphone.PNG
    liam-iphone.PNG
    59.5 KB · Views: 20
Hi Eoin Redmond,

pls. note:
Cert Hostname DOES NOT VERIFY (mail.istech.ie != istech.ie | DNS:istech.ie)
Click to expand...
As you can see, your used certificate doesn't include "mail.YOUR-DOMAIN.COM" and has only been issued for "YOUR-DOMAIN.COM".

Pls. see for example:


If you experience issues/errors/problems, when trying to secure your mail - server with a Let's Encrypt certificate, pls. be informed, that the Plesk Let's Encrypt extension logs its actions at your "panel.log". Pls. consider to inspect this log for further investigations, or/and post relevant entries from your log to your next post, so that people willing to you are able to help you with the investigations.



Additional informations:


Sometimes, it is as well a good idea to change the log - level ( TEMPORARILY! ), to get more informations in Plesk - log - files:

 
Thanks UFHH01 - we don't know how to create/include an SSL for mail.istech.ie as we can't find anywhere in Plesk to do that?

Eoin
 
Hi UFHH01,

Would the following command (that you posted on another thread) work for us instead of creating sub-domain subscriptions...

plesk bin extension --exec letsencrypt cli.php -d YOUR-DOMAIN.COM -d www.YOUR-DOMAIN.COM -d webmail.YOUR-DOMAIN.COM -d mail.YOUR-DOMAIN.COM -d smtp.YOUR-DOMAIN.COM -d pop3.YOUR-DOMAIN.COM -d imap.YOUR-DOMAIN.COM -d lists.YOUR-DOMAIN.COM --email [email protected] --expand

We have 15 subscriptions on that instance of Plesk so would prefer not to have to create all those sub-domain subscriptions.

Thanks

Eoin
 
Hi Eoin Redmond,

pls. note, that the validation process of Let's Encrypt, will be done by placing a temporary file at the document root of each subdomain ( at the corresponding folder "/var/www/vhosts/YOUR-DOMAIN.COM/subdomain.YOUR-DOMAIN.COM/.well-known/acme-challenge", which then will be called by the Let's Encrypt authority, in order to validate the existenz of the subdomain. ( pls. see again your "panel.log", for previous validation processes ). If such a corresponding file can't be reached, your subdomain can't be included with my posted command.

I suggest to create needed subdomains with the help of existing Plesk CLI - commands, which might be faster to create "to be included subdomains" for each subscription. :)



Additional informations:

 
Good point UFHH01 - forgot about that :)

We've started the process of creating the sub domains and adding certificates to them and are slowly getting email services back on line.

I have to say that I'm shocked with the disruption caused by the expiry of the Plesk Default Certificate to mail services and the fact that it can't be renewed - there must be a better way UFHH01?

Thanks for your help.

Regards,

Eoin
 
Customer normally uses as smtp pop3 imap servers "mail.customerdomain.com"

In our server obiusly we have a lot a domains.

if we install SSL for mail in plesk panel, its only available for one domain.... ( normally our hostname server).

So, all customer must to use the hostname server to use SSL without this alert of "wrong site"

Any ideas for this?
 
Eoin Redmond said:
Good point UFHH01 - forgot about that :)

We've started the process of creating the sub domains and adding certificates to them and are slowly getting email services back on line.

I have to say that I'm shocked with the disruption caused by the expiry of the Plesk Default Certificate to mail services and the fact that it can't be renewed - there must be a better way UFHH01?

Thanks for your help.

Regards,

Eoin
Click to expand...
Plesk is a tool to help system administrators.
It's not there to replace them.

You need to learn how certificates actually work and how they are implemented on the different protocols and then act accordingly.

After installation of Plesk I install a wildcard certificate on both the Plesk interface and on the mail services.

If you want your customers to use ssl you should communicate a hostname that matches said certificate.
It is tempting to let OSX-users get away with that requirement by creating an exception. This scheme is not reliable and will not survive a rekey of the certificate.

I have a solution for this.
For each customer of wolf.com there is a CNAME that points to mail.customer.com.

customer-com.wolf.com CNAME IN mail.customer.com

The client should use the hostname customer-com.wolf.com which matches the wildcard certificate *.wolf.com
 
Last edited:
solucionesuno said:
Customer normally uses as smtp pop3 imap servers "mail.customerdomain.com"

In our server obiusly we have a lot a domains.

if we install SSL for mail in plesk panel, its only available for one domain.... ( normally our hostname server).

So, all customer must to use the hostname server to use SSL without this alert of "wrong site"

Any ideas for this?
Click to expand...

Hi Solucionesuno,

We have been trying to deal with this since last week but have unable to find a proper solution.

We created sub domains i.e. mail.customer.com and added a Let's Encrypt SSL for the sub domain but when we go to setup an email account it reverts to the hostname server SSL and then you have to create an exception.

Like you we have many domains and email users on the server so we need to find a solution that doesn't involved changing the mail server name on customer's devices.

Eoin
 
Hi Eoin Redmond,

in fact, if you desire to customize valid certificates for each of your hosted domains, you have to modify your postfix - configuration files and your dovecot configuration files.

Examples:

=> #2
=> #26

This modification is still a bit tricky, but Plesk will provide easier solutions with the next major release of Plesk Onyx 17.8 ( expected in March 2018 ).
 
Eoin Redmond said:
Like you we have many domains and email users on the server so we need to find a solution that doesn't involved changing the mail server name on customer's devices.

Eoin
Click to expand...

In times of transgressions in which we now live you will not find any solution without any drawback.
I think that the solution I suggested is the least inelegant one.
Microsoft uses this same scheme in their office365. They don't do this that way without reason.

I don't need to tell my clients to use other hostnames as I migrated them all already a while ago.

What you want is a system that relies on SNI (server name indication). The same technique that is used for https. But.....
Unlike web browsers that are free of charge, mail clients do not all support SNI. Many of your clients will have outlook or older versions of apple mail.

Then there is the server-side of it.
Plesk 17.8 apparently will bring us the management of Dovecot's SNI which will, in combination with (probably) wildcard letsencrypt certificates, make that possible.
But you will not see that before several months.
Unless you will know how to configure Dovecot yourself, you can't do it.
It will still have the downside of not supporting all the clients...

So in the next 3 years I will consider my solution as the better one. 1 wildcard certificate on postfix and dovecot. This in combination with a CNAME for each client.
As icing on the cake I have an autodiscover on all my Plesk servers that will configure the clients this way.
 
UFHH01 said:
Hi Eoin Redmond,

in fact, if you desire to customize valid certificates for each of your hosted domains, you have to modify your postfix - configuration files and your dovecot configuration files.

Examples:

=> #2
=> #26

This modification is still a bit tricky, but Plesk will provide easier solutions with the next major release of Plesk Onyx 17.8 ( expected in March 2018 ).
Click to expand...

Thanks UFHH01 - sadly those examples are well beyond our skill set :(

We appreciate your assistance with this matter.

Eoin
 
mr-wolf said:
In times of transgressions in which we now live you will not find any solution without any drawback.
I think that the solution I suggested is the least inelegant one.
Microsoft uses this same scheme in their office365. They don't do this that way without reason.

I don't need to tell my clients to use other hostnames as I migrated them all already a while ago.

What you want is a system that relies on SNI (server name indication). The same technique that is used for https. But.....
Unlike web browsers that are free of charge, mail clients do not all support SNI. Many of your clients will have outlook or older versions of apple mail.

Then there is the server-side of it.
Plesk 17.8 apparently will bring us the management of Dovecot's SNI which will, in combination with (probably) wildcard letsencrypt certificates, make that possible.
But you will not see that before several months.
Unless you will know how to configure Dovecot yourself, you can't do it.
It will still have the downside of not supporting all the clients...

So in the next 3 years I will consider my solution as the better one. 1 wildcard certificate on postfix and dovecot. This in combination with a CNAME for each client.
As icing on the cake I have an autodiscover on all my Plesk servers that will configure the clients this way.
Click to expand...

Thanks Mr- Wolf - we understand what you are saying.

We will attempt to setup our next new VM Server as you suggest.

Thank you

Eoin
 
Eoin Redmond said:
Thanks Mr- Wolf - we understand what you are saying.

We will attempt to setup our next new VM Server as you suggest.

Thank you

Eoin
Click to expand...
I have a script that creates those cnames automatically. This will only work if you have, like me, all your clients on one (Plesk) DNS server.

I will need to review it to check if it's good enough to publish.
 
You must log in or register to reply here.

Similar threads

T
Issue Some sites don't send email when Let's Encrypt ssl certificate will expire
Replies
1
Views
315
tanasis
T
K
Question Renewing Let's Encrypt with external DNS servers
Replies
5
Views
310
klowet
K
Azurel
Resolved Mail for "Let`s Encrypt certificates for ***** have been issued/renewed" missing?
Replies
2
Views
316
Azurel
Azurel
P
Forwarded to devs SSL It! - inconsistent Let’s Encrypt branding
Replies
2
Views
1K
AYamshanov
AYamshanov
Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
29
Views
6K
Hangover2
Hangover2
Back
Top