Resolved How to secure mail of domain with Lets Encrypt

[Giorgos Kontopoulos]

I have installed the Lets encrypt extension and from the domain configuration (lets encrypt button) I have requested a certificate for that domain including protecting the www part of the website and when calling the https version of the website the certificate seems to work fine.

Its been advertised that ONYX now provides a easier setup of securing mail with SSL certificates
and sure enough in the MAIL SETTINGS of the same domain (smb/mail-settings/edit/id/2/domainId/2)
I see a select box "SSL/TLS certificate for webmail" and I chose the same certificate that was created for the domain.

NOTE:
- server1.domain2.tld is the hostname to the machine hosted at IP1
- MX record for domain.tld is mail.domain.tld with IP1 (same as the ip that plesk is running on)

Now trying to connect to email with Thunderbird

letting thunderbird autodetect everything comes up with unsecured connection to email and everything works using either of the following as the mail server hostnames

server1.domain2.tld
IP1
domain.tld
mail.domain.tld

and thunderbird finds pop3 at 110 port and smtp at 587 port

Now when I tell thunderbird to assume secure connection SSL/TLS the setup screen ALWAYS reports "Thunderbird failed to find the settings for your email account" for any hostname that I try
I tried all the 4 hostnames above

After that I created the subdomain in plesk mail.domain.tld and issued a certificate for it from Lets encrypt and tried to connect again with thunderbird but still getting failed message

I have also gone to the SSL certificate settings and seen that one can set certificate for mail (admin/ssl-certificate/secure-mail-server) but which certificate should I choose there ?

mail.domain.tld
domain.tld
self signed certificate

I assume here I should choose a certificate for the server but choosing the self signed will ALWAYS give warning on all email clients since self signed has unrecognized certificate authority

How do I set this up ? do I need to setup this for email certificates to be working ?
What is the procedure of setting up SSL/TLS for mail in plesk ONYX ?
or is that a specific problem for lets encrypt certificates ?

 

[virtubox]

Hello Giorgos,
if you can see mail.yourdomain.com in the DNS configuration of all your domains, you have to choose a subdomain as mail server address like mail.domain.tld, to create this subdomain and to issue your certificate with letsencrypt, and then into SSL/TLS certificates to choose this certificate to secure the mail server, but that mean you will have to use this sudomain to connect to the server from your email client.

For example, I'm using mail.mydomain.com as mail server address, I have created my subdomain to issue a certificate with letsencrypt, then in SSL/TLS settings I have choose my SSL certificates from letsencrypt and in my email client, I'm using mail.mydomain.com as pop/imap server and also as smtp.

 

[Giorgos Kontopoulos]

@virtubox thanks for the answer

I already did this but forgot to change the mail settings to use the mail.domain.tld certificate
I did it now and did a complete SERVER reboot (instead of pop/imap/smtp server restart)
and still can't connect using thunderbird
I get the same error displaying on the connection manager

any idea of what might be ?

 

[virtubox]

Check if you can connect with another mail client like opera mail. If it work, that mean that's the SSL configuration. I have already got some errors with FireFox and Plesk because the SSL ciphers was not properly set.
This KB is maybe the solution.

 

[James Moore]

Maybe it's because you have multiple domains with the same IP set up like this? I only got this working flawlesly by using just one hostname (I use mail.domain.tld, where domain.tld is the FQDN for my server) The Mailserver uses mail.domain.tld in HELO greeting) and I linked the Let's Encrypt certificate for mail.domain.tld here: "Server Management" -> "Tools & Settings" -> "SSL/TLS certificates" -> "Certificate for securing mail"

All other domains (e.g. domain2.tld and domain3.tld) are using mail.domain.tld as mailserver and NOT mail.domain2.tld and mail.domain3.tld

The mail certificate is not to be confused with the per-domain setting "use for webmail".

 

[R3DC0D3]

Hi,
Highly Recommened purchase EV SSL lets, encrypt doest work all browsers make sure visitors make a confused, EV SSL not expensive search it also multi domains if you run and sub domains with stmp pop webmail much better safe in hands...

 

[Giorgos Kontopoulos]

@R3DC0D3
what is not supported ?

https://letsencrypt.org/docs/certificate-compatibility/

https://community.letsencrypt.org/t...g-systems-support-lets-encrypt/4394?u=sahsanu

 

[Giorgos Kontopoulos]

on plesk onyx latest update 6 on centos latest 6.8

I received the following messages on my email and had a warning on the main plesk login screen

Unable to generate the web server configuration file on the host <ovh.webx2.com> because of the following errors:

Template_Exception: Syntax error on line 48 of /etc/httpd/conf/plesk.conf.d/webmails/domain.com_webmail.conf:
SSLCertificateFile: file '/usr/local/psa/var/certificates/cert-Q2cC87' does not exist or is empty

file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0

Please resolve the errors in web server configuration templates and generate the file again.
​

and later on another one

Unable to generate the web server configuration file on the host <ovh.webx2.com> because of the following errors:

Template_Exception: nginx: [emerg] BIO_new_file("/usr/local/psa/var/certificates/cert-Q2cC87") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/psa/var/certificates/cert-Q2cC87','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0

Please resolve the errors in web server configuration templates and generate the file again.​

I had setup a certificate for the mail.domain.com and then included it to the mail settings
after I received the above messages I went to mail settings and chose
SSL/TLS certificate for webmail: not selected
and went on the main login screen of plesk and press the "click here to reconfigure" button that was reminding of the error
and the error went away

I have to revisit this thread and see how to setup properly ssl/tls for mail

 

[R3DC0D3]

Hi again,
I think problem is which cms on under sub domain please tell me more info about sub domain which web templates, or like html5 or php or windows server asp. e.g...

i dont understand why u dont purchase SSL ¿

anyway more info sub domain could be better thanks.

 

[Giorgos Kontopoulos]

using it for magento and possibly drupal cms with multiple domains on a plesk server
and probably under mail.domain.com for multiple domains again

what is "not expensive" for you might not apply to everyone
send me an "inexpensive" link to see

 

[R3DC0D3]

Thanks for reply,

Mangento always look after commercial means paid services and free magento community edition always trouble never end i used many years they care about commercial users sub domain issue they done some patch but im not sure its work perfectly special cloud server as well let's encrypt services mostly explain which cms or similar works perfect condition also on magento so many extensions on this sub domain issue try another ecommerce system if you wanna less trouble

you asked my about SSL of course per year comodo start $77 per year good price also many choice of your pocket another sample godaddy $66 per year network solutions $49.99

and of day giorgos you gonna do ecommerce sale online most ssl certificates given warranty more then $10k your clients or visitors trust your website also google searching gonna be top more ssl selection you dont need use lets encypt this service plesk favour like a this you gonna do professional website you have purchase ssl google indexing you more some ssl companies they works virus companies then automaticly your website says safe and secure for software which is good

dont take a personal this issue i given you idea which way better for you

Regards.

 

[virtubox]

Thanks for reply,

Mangento always look after commercial means paid services and free magento community edition always trouble never end i used many years they care about commercial users sub domain issue they done some patch but im not sure its work perfectly special cloud server as well let's encrypt services mostly explain which cms or similar works perfect condition also on magento so many extensions on this sub domain issue try another ecommerce system if you wanna less trouble

you asked my about SSL of course per year comodo start $77 per year good price also many choice of your pocket another sample godaddy $66 per year network solutions $49.99

and of day giorgos you gonna do ecommerce sale online most ssl certificates given warranty more then $10k your clients or visitors trust your website also google searching gonna be top more ssl selection you dont need use lets encypt this service plesk favour like a this you gonna do professional website you have purchase ssl google indexing you more some ssl companies they works virus companies then automaticly your website says safe and secure for software which is good

dont take a personal this issue i given you idea which way better for you

Regards.

There is no reason to pay for SSL certificate. Paid SSL doesn't offer more security and the only issue with an SSL certificate can be the installation on the server.
You can easily get A+ rating from ssllabs with a letsencrypt certificate.

 

[UFHH01]

Hi Giorgos Kontopoulos,

you could use the not documented command:

plesk bin extension --exec letsencrypt cli.php -d YOUR-DOMAIN.COM -d www.YOUR-DOMAIN.COM -d webmail.YOUR-DOMAIN.COM -d mail.YOUR-DOMAIN.COM -d smtp.YOUR-DOMAIN.COM -d pop3.YOUR-DOMAIN.COM -d imap.YOUR-DOMAIN.COM -d lists.YOUR-DOMAIN.COM --email [email protected] --expand

As you can see, I included all possible subdomains, which are "normally" not setup over the Plesk Control Panel, such as "webmail.", "mail.", "smtp.", "pop3.", "imap." and "lists.". Pls. keep in mind, that there is a maximum of 100 Let's Encrypt SAN - certificate - names.
The "--expand" option at the end should be used, if there has been a previous certificate creation, which you are now able to EXPAND with the additional (sub)domain - names - if you didn't create a previous certificate for the domain, pls. leave out this option.


If you experience issues with the suggestion, pls. consider to include the Let's Encrypt - log and the output from your command line, after you used the command for further investigations.

 

[James Moore]

You don't have to pay for SSL to get a trustable SSL certificate that can be widely used in most browsers. Let's encrypt can be your friend here. But it depends on your needs.

First of all there are three types of certificates, DV, OV and EV. All three give you encryption. To explain them in short: DV (Domain Validation) is just checking the right to use the domain. Whenever you own a domain, you can get a DV certificate for it. No matter who you are and what your intentions are.
OV (Organisation Validation) is checking the right to use the domain (like DV) but is also checking the company behind it (this is when you see owner information within the certificate) EV is doing everything OV does, but is making an even more strict check and screen of the organisation behind it.

Now, Let's Encrypt is only issuing DV certificates. In cases where a DV certificate is fine, and you have the possibility to use LE, go for it and enjoy that it's free. It will give you no real disadvantages compared to paid DV certificates (most modern browsers are supported by LE)
When I would login the my bank for example, I would like the extra security of a EV certificate, so I can check if it's really my bank, that is behind the domain that I'm visiting.

Furthermore, Let's Encrypt does not support wildcard certificates. You can not get a certificate for *.domain.tld use it for every subdomain of domain.tld. You need to specify all the subdomains that you want to certificate to support. This can for example be done manually, like UFHH01 said.

But we are getting off-topic here. It's about securing the mail. In my experience, to have it working, widely supported and maintainable over Plesk, you have to have a subdomain for your mail-server, preferably for a domain matching the server hostname. If the server is server.domain.tld, you can for example take mail.domain.tld.
Then set your mail-system to use this a hostname also at EHLO/HELO. Then have a certificate issued for mail.domain.tld and select this certificate in Plesk where you set the certificate for mail.
Be sure to use mail.domain.tld as the incoming and outgoing mail-server for all mail-domains hosted on the system. So also for domain2.tld and domain3.tld you use mail.domain.tld as the mail-server. This is because the mail-system is using a certificate that is issues for mail.domain.tld and not for mail.domain2.tld or mail.domain3.tld.

 

[octet]

You don't have to pay for SSL to get a trustable SSL certificate that can be widely used in most browsers. Let's encrypt can be your friend here. But it depends on your needs.

Then set your mail-system to use this a hostname also at EHLO/HELO. Then have a certificate issued for mail.domain.tld and select this certificate in Plesk where you set the certificate for mail.
Be sure to use mail.domain.tld as the incoming and outgoing mail-server for all mail-domains hosted on the system. So also for domain2.tld and domain3.tld you use mail.domain.tld as the mail-server. This is because the mail-system is using a certificate that is issues for mail.domain.tld and not for mail.domain2.tld or mail.domain3.tld.

So is there no way of using different SSL certificate for different domain, eg:

mail.domain1.com - SSL 1
mail.domain2.com - SSL 2
mail.domain3.com - SSL 3

rather than asking all the domain holders to use mail.domain.com for incoming and outgoing and getting host name mismatch when going SSL in mail clients?

 

[octet]

^ updated with screenshots, hope it makes more sense now.

mail.cher**.com it's my personal domain
mail.un-lim**.com it's the server domain - also set up as the default SSL for securing the mail
ufo.un-lim**.com it's the server hostname

 

[UFHH01]

Hi octet,

you seem to mix "webmail" and "mail" here - which will not bring you any further, I think.

Investigations and suggestions:

You use a Let's encrypt - certificate for your domain "webmail.cherc***", which has been ONLY authorized for the domain "DNS-Name=mail.cherc***".
You use a standard Plesk certificate for your domain "webmail.un-l***", which is not authorized for any domain at all ( self-signed ).

You use a Let's encrypt - certificate for your domain "ufo.un-l***", which has been ONLY authorized for the domain "DNS-Name=ufo.un-l***". ( Yeah... at least! )


For your postfix - configuration, I previously wrote some sort of "How-to" for individual certificates, assigned to different IPs here: => #11 / #2 / #4​

 

[octet]

Thanks @UFHH01

Not worried about the webmail.domain.tld and not confusing it, was just looking into all SSL settings Plesk Onyx has, just updated from 12.5 today.

So, for Postfix I'll have a look at the links you've posted, thank you.

What should I do for Dovecot?

Thanks!

 

[octet]

@UFHH01

So I've done the Postfix master.cf like below, that should cover your suggestions for the 1st domain, what do you think please?

The main.cf file looks like this:

Thanks a lot!

 

[octet]

Right, tried the above settings, I get this:

Dec  2 22:39:14 ufo postfix/smtpd[75276]: warning: cannot get RSA private key from file /usr/local/psa/var/certificates/cert-v11T5R: disabling TLS support
Dec  2 22:39:14 ufo postfix/smtpd[75276]: warning: TLS library problem: 75276:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY:
Dec  2 22:39:14 ufo postfix/smtpd[75276]: warning: TLS library problem: 75276:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:

Looks like the certificates are not the right ones. Need to dig further.


Update:

I've copy/pasted the SSL certificates generated in Plesk for mail.cher***.com here:

and also modified the Postfix master.cf with the correct path, but I still get this:

Dec  2 22:50:36 ufo postfix/smtpd[78918]: warning: cannot get RSA certificate from file /etc/postfix/certificates/mail.cherciu.com.private.key: disabling TLS support
Dec  2 22:50:36 ufo postfix/smtpd[78918]: warning: TLS library problem: 78918:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE:
Dec  2 22:50:36 ufo postfix/smtpd[78918]: warning: TLS library problem: 78918:error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib:ssl_rsa.c:730:

Do I need to generate new certificates or what am I doing wrong? Must be terribly tired

Sounds like a permission error...

[root@ufo certificates]# chmod -R 640 /etc/postfix/certificates/
[root@ufo certificates]# chown -R postfix:postfix /etc/postfix/certificates/
[root@ufo certificates]# service postfix restart
Redirecting to /bin/systemctl restart  postfix.service

Still no luck...