• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question How to correctly enable ssl for 2 mail services?

oleksii

oleksii

New Pleskian
Hello!

I have 2 mail services on different domains in my Plesk Onyx (e.g. domain1.com and domain2.com). And one dedicated address for each domain.

Is it possible to issue one certificate for both domains in Plesk? Because in Plesk settings (
SSL/TLS Certificates) I can choose only one certificate for both mail services.

I guess there is an option to issue manually one certificate for 2 domains with Let's Encrypt or to issue one certificate for each domain (I already have them in my Plesk) and make some changes in /etc/postfix/master.cf

But what is the best way to secure both mail services?

P.S. I don't want to use one domain name to send all emails from it. I want to separate these to domains and mail services on it.
 
Hello!

If you really want to do that (more later...), you have to (manually) obtain a multiple-domains certificate and (manually) upload it to your server to be used as the certificate securing the mail server. See: Securing Plesk and the Mail Server With SSL/TLS Certificates to see how that's done (spoiler alert: it is in Tools and settings -> Security -> SSL/TLS Certificates)

IMHO, anyway, it is best to use your fully qualified hostname as the MX record (and cite it into your SPF records too) for all domains you host, and have a certificate issued and installed just for it.

I don't think it is a good idea to "fake" a single host with a single IP address into being multiple hosts. After all you can have just one PTR record for that IP and (for many good reasons) it should point to your fully qualified hostname.

External MTAs that connect to your host to deliver mail don't give a damn about the certificate (AFAIK they just use it for encryption and it could also be a self-signed certificate). Also an external MTA, contrary to an HTTP client (read "browser!), doesn't have a way to indicate "for which domain" it is connecting: it just open a socket to an IP address.

When your host MTA connect to an external MTA for sending mail, what is important is that your IP address is part of the SPF record for the sending domain and/or that IP address resolve (via PTR) to an hostname which is in the MX and SPF records for that domain.

See the pattern here? One IP, one PTR, one hostname, one certificate...

What I have for all my domains is:

example.com MX 10 my.fully.qualified.host
and
example.com TXT v=spf1 +a +mx +a:my.fully.qualified.host -all (which btw is, correctly, the default generated by Plesk)

I understand that the reason for willing to use "mail.example.com" is probably of "cosmetic/marketing" type (to give your customers a name that is "within their domains" to configure in their clients), and in the past I've fallen into the same trap too, but think of this: when you subscribe to Google for a GSuite service handling mail for your domain, how do they tell you to configure your client? With Google host names... isn't it?

If you really-really want to give your customer a "personalized" mail service I think the only correct solution would imply to give them a "personalized" (i.e. dedicated) IP address too, and dedicated mail services bound to that IP address (I don't think this is feasible with Plesk, but I might be wrong... P.S.: I AM WRONG, read below...)
 
Last edited:
Sorry, sorry, sorry! I've just (re-)read your OP and just noticed that indeed you have dedicated IP address for your two domains! Forget all my lucubrations!

I also checked and it is totally feasible for domains hosted in Plesk to send (and I strongly suspect receive too!) from their dedicated IP address and send an SMTP greeting with their domain name too (Tools & settings, Server-Wide Mail Settings).

As far as regards the cert... I don't know (as I've never tried that configuration), but I think that if Plesk allows you to use the domain dedicated IP address for mail services, in those cases it should also use the certificate issued under that domain (and the one under Tools & Settings, SSL/TSL certificates be used only for all other domains that use the shared address)... Isn't this the case? If not... I'll call that a bug (or lack of feature as a minimum...)

Again sorry about the mix-up!
 
Last edited:
You must log in or register to reply here.

Similar threads

R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
889
tessa67
T
P
Resolved PLESK 18.0.60 Problems to configure mails / Certificates, etc.
Replies
8
Views
760
mow
M
L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
348
Leta
L
futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
1K
futureweb
futureweb
defcon8
Issue SMTP SSL Certificate Expired
Replies
2
Views
599
defcon8
defcon8
Back
Top