• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question How to correctly enable ssl for 2 mail services?

oleksii

oleksii

New Pleskian
Hello!

I have 2 mail services on different domains in my Plesk Onyx (e.g. domain1.com and domain2.com). And one dedicated address for each domain.

Is it possible to issue one certificate for both domains in Plesk? Because in Plesk settings (
SSL/TLS Certificates) I can choose only one certificate for both mail services.

I guess there is an option to issue manually one certificate for 2 domains with Let's Encrypt or to issue one certificate for each domain (I already have them in my Plesk) and make some changes in /etc/postfix/master.cf

But what is the best way to secure both mail services?

P.S. I don't want to use one domain name to send all emails from it. I want to separate these to domains and mail services on it.
 
Hello!

If you really want to do that (more later...), you have to (manually) obtain a multiple-domains certificate and (manually) upload it to your server to be used as the certificate securing the mail server. See: Securing Plesk and the Mail Server With SSL/TLS Certificates to see how that's done (spoiler alert: it is in Tools and settings -> Security -> SSL/TLS Certificates)

IMHO, anyway, it is best to use your fully qualified hostname as the MX record (and cite it into your SPF records too) for all domains you host, and have a certificate issued and installed just for it.

I don't think it is a good idea to "fake" a single host with a single IP address into being multiple hosts. After all you can have just one PTR record for that IP and (for many good reasons) it should point to your fully qualified hostname.

External MTAs that connect to your host to deliver mail don't give a damn about the certificate (AFAIK they just use it for encryption and it could also be a self-signed certificate). Also an external MTA, contrary to an HTTP client (read "browser!), doesn't have a way to indicate "for which domain" it is connecting: it just open a socket to an IP address.

When your host MTA connect to an external MTA for sending mail, what is important is that your IP address is part of the SPF record for the sending domain and/or that IP address resolve (via PTR) to an hostname which is in the MX and SPF records for that domain.

See the pattern here? One IP, one PTR, one hostname, one certificate...

What I have for all my domains is:

example.com MX 10 my.fully.qualified.host
and
example.com TXT v=spf1 +a +mx +a:my.fully.qualified.host -all (which btw is, correctly, the default generated by Plesk)

I understand that the reason for willing to use "mail.example.com" is probably of "cosmetic/marketing" type (to give your customers a name that is "within their domains" to configure in their clients), and in the past I've fallen into the same trap too, but think of this: when you subscribe to Google for a GSuite service handling mail for your domain, how do they tell you to configure your client? With Google host names... isn't it?

If you really-really want to give your customer a "personalized" mail service I think the only correct solution would imply to give them a "personalized" (i.e. dedicated) IP address too, and dedicated mail services bound to that IP address (I don't think this is feasible with Plesk, but I might be wrong... P.S.: I AM WRONG, read below...)
 
Last edited:
Sorry, sorry, sorry! I've just (re-)read your OP and just noticed that indeed you have dedicated IP address for your two domains! Forget all my lucubrations!

I also checked and it is totally feasible for domains hosted in Plesk to send (and I strongly suspect receive too!) from their dedicated IP address and send an SMTP greeting with their domain name too (Tools & settings, Server-Wide Mail Settings).

As far as regards the cert... I don't know (as I've never tried that configuration), but I think that if Plesk allows you to use the domain dedicated IP address for mail services, in those cases it should also use the certificate issued under that domain (and the one under Tools & Settings, SSL/TSL certificates be used only for all other domains that use the shared address)... Isn't this the case? If not... I'll call that a bug (or lack of feature as a minimum...)

Again sorry about the mix-up!
 
Last edited:
You must log in or register to reply here.

Similar threads

B
Resolved Shared hosting with multiple domains SSL/TLS issues
2
Replies
20
Views
2K
bork
B
T
Issue SSL Cert for domain doesnt work with mailserver
Replies
1
Views
212
Peter Debik
P
J
Resolved WordPress Network setup on Alias -- how to add alternative domains with Lets Encrypt SSL Certs?
Replies
3
Views
354
joell
J
carlsson
Issue Mail on Plesk, web on other provider, how do I create a correct SSL?
Replies
2
Views
152
carlsson
carlsson
D
Issue can only create webmail certificates
Replies
1
Views
378
deepnpisgah
D
Back
Top