• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved How to secure mail of domain with Lets Encrypt

thats not work for me. the cert in 993 port is default plesk and not the letencrypt.

You need to make sure the letsencrypt certificate is selected in Tools & Settings > SSL & TLS Certificates :

2sx9wSgw.png
 
thanks @virtubox for reply.

but this is a global cert for all domains really?

this generate an error cause customer access with own mail.doman.tld to this cert.

Yes, you can only install a single SSL certificate on the mail server from the Plesk interface. If you want to use a certificate for each user, you will have to make the configuration manually.

Have you choose the certificate mail.yourdomain.tld ?
 
Yss in this way works fine, but is really a problem cause if some day domain is migrated to another server, customers must to change the smtp and pop3/imap server configuration.

is any guide to configure it for each domain manually as you describe?

thanks for help again!
 
Ofcourse a wildcard might be a solution for my own personal domains (about 14 wildcards * $$$), however I cannot force all of our 50k customers to buy a Wildcard as well.
I also cannot force all of those customers to drop their Outlook 20xx versions, just because of this.

You misinterpreted my suggestion for a solution to the problem of virtual hosting for other domains.

I have only 1 certificate on my IMAP/ Pop / SMTP.
That's a wildcard certificate of my company.
Your clients do not need to buy any certificate.
Because it does NOT depend on SNI it also works for older clients and there is no danger some failure in autoprovisioning the LetsEncrypt will spoil the mail.

All my clients use a hostname in their mail client that's constructed this way:
Code:
Domain hawk.eu => hawk-eu.wolf.com
Domain hawk.com => hawk-com.wolf.com
Domain sparrow.com => sparrow-com.wolf.com

All these hostnames will match the certificate *.wolf.com

These special CNAMEs are automatically generated by a cronjob on my DNS-server.
Office365 uses the same trick.
I even have an autodiscovery scheme that autoconfigures the client.

You can send me a dollar for each of those +50K clients of yours for sharing this trick ;-)
 
Last edited:
Hello World,

I don't have the checkbox for secure my mail services...
And the checkbox it's only for Webmail or for IMAP/POP/SMTP ?

Plesk: 12.5.30 (I try with en-US language, same problem)
Let's Encrypt: 2.1.0

And sorry for my english :D
 
Hello World,

I don't have the checkbox for secure my mail services...
And the checkbox it's only for Webmail or for IMAP/POP/SMTP ?

Plesk: 12.5.30 (I try with en-US language, same problem)
Let's Encrypt: 2.1.0

And sorry for my english :D

Jordan,
Don't worry for your english, I am French :)

If you have the webmail enabled in your plesk config, you should see the checkbox for your webmail certificate support (see image under).

Current LE addon does not provide support for certificates on IMAP/POP/SMTP servers (Yet (a winck to @odin Plesk team))

Hope this help

Philippe
LE-plesk.jpg
 
Jordan,
Don't worry for your english, I am French :)

If you have the webmail enabled in your plesk config, you should see the checkbox for your webmail certificate support (see image under).

Current LE addon does not provide support for certificates on IMAP/POP/SMTP servers (Yet (a winck to @odin Plesk team))

Hope this help

Philippe
LE-plesk.jpg

To use a Let's Encrypt certificate on your IMAP/POP/SMTP server, just create the subdomain you want to use and generate your SSL Certificate.
Then you can use it to secure your mail server in Settings > SSL/TLS Certificates

And the last Plesk Onyx releases provide the ability to use Let's Encrypt to protect the webmail.
 
To use a Let's Encrypt certificate on your IMAP/POP/SMTP server, just create the subdomain you want to use and generate your SSL Certificate.
Then you can use it to secure your mail server in Settings > SSL/TLS Certificates
All you write here is correct, but by quoting Amazili you're implying that he was incorrect or was missing something.

He was obviously speaking about the future enhancement to support multiple certificates on SMTP/POP/IMAP by using SNI.
This does not yet exist in the current release.

So I don't think you have taught him anything.
I'm sure he was aware that one could choose a certain certificate to be used for the mail.
It will be only that LetsEncrypt certificate.

I am not waiting for that enhancement.
It will only work for modern mail clients that support SNI and I already have a working scheme using a wildcard certificate in combination with cnames for each client.
 
All you write here is correct, but by quoting Amazili you're implying that he was incorrect or was missing something.

He was obviously speaking about the future enhancement to support multiple certificates on SMTP/POP/IMAP by using SNI.
This does not yet exist in the current release.

So I don't think you have taught him anything.
I'm sure he was aware that one could choose a certain certificate to be used for the mail.
It will be only that LetsEncrypt certificate.

I am not waiting for that enhancement.
It will only work for modern mail clients that support SNI and I already have a working scheme using a wildcard certificate in combination with cnames for each client.

Hello @mr-wolf , I have quoted Amazili because by reading his message, it may create a confusion talk about the webmail protection with Letsencrypt and the current missing feature of IMAP/POP/SMTP server Let'sEncrypt configuration with SNI support.
I have no doubt about his knowledge on this subject by reading his previous post, it was only to avoid confusion between mail server protection with LE, currently limited to a single certificate for a server, and the webmail protection for each domain, now available in Plesk.
 
@virtubox , @mr-wolf ,

Thanks for your comments.

Just to make sure people reading this post understand the current, as of July 2017, situation :

Man CAN protect their webmail using Let's Encrypt certificate with the current Plesk add-on.
Man CANNOT protect their mail server (pop/imap/smtp) for multiple domains using the Let's Encrypt certificate on current Pesk Implementation.

And We (at AmaZili) are actively looking for a solution to use Let's Encrypt certificates for pop/Imap/smtp servers.

Again thanks for your comments and clarification.

Philippe
 
Just to clarify once more!

Problem: When a customer adds their email account to Thunderbird / Outlook / etc. using "mail.customer-domain.com" they receive an error: "Invalid Certificate: This certificate belongs to a different site"

There is no solution to this problem using the Plesk control panel.

There is maybe a solution (?) using the CLI by following AmaZili's instructions on page 3.

Current workaround is to tell customer to ignore the error / add an exception?

Is this correct?
 
A real-life permanent solution that's IMHO better than the upcoming Plesk solution is using a wildcard on your mail.

If you would own fuf.com, you could buy a wildcard certificate "*.fuf.com"
Then tell all your Plesk servers to use the certificate *.fuf.com on their mail and the Plesk interface.

You would need to create a CNAME customer-domain-com.fuf.com that points to mail.customer-domain.com.
Your client needs to configure customer-domain-com.fuf.com in Thunderbird.
 
Thanks mr-wolf, but it's important that my customers are able to use "mail.customer-domain.com" as the mail server address for various "white label" reasons.
 
Thanks mr-wolf, but it's important that my customers are able to use "mail.customer-domain.com" as the mail server address for various "white label" reasons.

I have been using that scheme for years and stopped for a reason.
Maybe Thunderbird handles that "exception" in a proper way, but I know Apple doesn't.
Whenever there's some change in the certificate, even a normal renewal, it loses that exception rule all of a sudden. Sometimes several weeks after the change.

Furthermore you'll be getting all kind of questions from your clients. The answers you'll be giving will often leave them uncertain of your abilities (ignore that warning, just click ok).
Microsoft Outlook users will always get a warning when they start their client. You will probably need to tell them to use a plain connection.
Using a plain connection with passwords is not possible with the modern settings of Postfix. So you need to change that too.

I also have a working autodiscovery that matches my scheme (using Nginx & PHP).
The CNAMES are automatically created on my DNS-server.
 
Back
Top