Resolved How to secure mail of domain with Lets Encrypt

[sergiomb]

Hi HHawk,

funny that you just posted, even that a NEW version is available:

=> Let's Encrypt - Plesk Extensions

View attachment 12813​

We might not be "at the end of the road" for all wishes, but as you can see, constant improvements are done!

Thanks, webmail certificate is a beautiful step , and it works here , btw + redirect to https + 2 choices horde and roundcube , it is on what I'm working.
Best regards,

 

[solucionesuno]

Hi HHawk,

funny that you just posted, even that a NEW version is available:

=> Let's Encrypt - Plesk Extensions

View attachment 12813​

We might not be "at the end of the road" for all wishes, but as you can see, constant improvements are done!

thats not work for me. the cert in 993 port is default plesk and not the letencrypt.

 

[virtubox]

thats not work for me. the cert in 993 port is default plesk and not the letencrypt.

You need to make sure the letsencrypt certificate is selected in Tools & Settings > SSL & TLS Certificates :

 

[solucionesuno]

thanks @virtubox for reply.

but this is a global cert for all domains really?

this generate an error cause customer access with own mail.doman.tld to this cert.

 

[solucionesuno]

so i get this error

Certificate does not match name iontics.com

 

[virtubox]

thanks @virtubox for reply.

but this is a global cert for all domains really?

this generate an error cause customer access with own mail.doman.tld to this cert.

Yes, you can only install a single SSL certificate on the mail server from the Plesk interface. If you want to use a certificate for each user, you will have to make the configuration manually.

Have you choose the certificate mail.yourdomain.tld ?

 

[solucionesuno]

So customers can´t configure in their client email yourdomain.com and must use mail.serverdomain.com ?

 

[virtubox]

So customers can´t configure in their client email yourdomain.com and must use mail.serverdomain.com ?

With a SSL certificate on the mail server and without manual configuration, no.

 

[solucionesuno]

Yss in this way works fine, but is really a problem cause if some day domain is migrated to another server, customers must to change the smtp and pop3/imap server configuration.

is any guide to configure it for each domain manually as you describe?

thanks for help again!

 

[mr-wolf]

Ofcourse a wildcard might be a solution for my own personal domains (about 14 wildcards * $$$), however I cannot force all of our 50k customers to buy a Wildcard as well.
I also cannot force all of those customers to drop their Outlook 20xx versions, just because of this.

You misinterpreted my suggestion for a solution to the problem of virtual hosting for other domains.

I have only 1 certificate on my IMAP/ Pop / SMTP.
That's a wildcard certificate of my company.
Your clients do not need to buy any certificate.
Because it does NOT depend on SNI it also works for older clients and there is no danger some failure in autoprovisioning the LetsEncrypt will spoil the mail.

All my clients use a hostname in their mail client that's constructed this way:

Domain hawk.eu => hawk-eu.wolf.com
Domain hawk.com => hawk-com.wolf.com
Domain sparrow.com => sparrow-com.wolf.com

All these hostnames will match the certificate *.wolf.com

These special CNAMEs are automatically generated by a cronjob on my DNS-server.
Office365 uses the same trick.
I even have an autodiscovery scheme that autoconfigures the client.

You can send me a dollar for each of those +50K clients of yours for sharing this trick ;-)

 

[Jordan Sitbon]

Hello World,

I don't have the checkbox for secure my mail services...
And the checkbox it's only for Webmail or for IMAP/POP/SMTP ?

Plesk: 12.5.30 (I try with en-US language, same problem)
Let's Encrypt: 2.1.0

And sorry for my english

 

[AmaZili Communication]

Hello World,

I don't have the checkbox for secure my mail services...
And the checkbox it's only for Webmail or for IMAP/POP/SMTP ?

Plesk: 12.5.30 (I try with en-US language, same problem)
Let's Encrypt: 2.1.0

And sorry for my english

Jordan,
Don't worry for your english, I am French

If you have the webmail enabled in your plesk config, you should see the checkbox for your webmail certificate support (see image under).

Current LE addon does not provide support for certificates on IMAP/POP/SMTP servers (Yet (a winck to @odin Plesk team))

Hope this help

Philippe

 

[virtubox]

Jordan,
Don't worry for your english, I am French

If you have the webmail enabled in your plesk config, you should see the checkbox for your webmail certificate support (see image under).

Current LE addon does not provide support for certificates on IMAP/POP/SMTP servers (Yet (a winck to @odin Plesk team))

Hope this help

Philippe

To use a Let's Encrypt certificate on your IMAP/POP/SMTP server, just create the subdomain you want to use and generate your SSL Certificate.
Then you can use it to secure your mail server in Settings > SSL/TLS Certificates

And the last Plesk Onyx releases provide the ability to use Let's Encrypt to protect the webmail.

 

[mr-wolf]

To use a Let's Encrypt certificate on your IMAP/POP/SMTP server, just create the subdomain you want to use and generate your SSL Certificate.
Then you can use it to secure your mail server in Settings > SSL/TLS Certificates

All you write here is correct, but by quoting Amazili you're implying that he was incorrect or was missing something.

He was obviously speaking about the future enhancement to support multiple certificates on SMTP/POP/IMAP by using SNI.
This does not yet exist in the current release.

So I don't think you have taught him anything.
I'm sure he was aware that one could choose a certain certificate to be used for the mail.
It will be only that LetsEncrypt certificate.

I am not waiting for that enhancement.
It will only work for modern mail clients that support SNI and I already have a working scheme using a wildcard certificate in combination with cnames for each client.

 

[virtubox]

All you write here is correct, but by quoting Amazili you're implying that he was incorrect or was missing something.

He was obviously speaking about the future enhancement to support multiple certificates on SMTP/POP/IMAP by using SNI.
This does not yet exist in the current release.

So I don't think you have taught him anything.
I'm sure he was aware that one could choose a certain certificate to be used for the mail.
It will be only that LetsEncrypt certificate.

I am not waiting for that enhancement.
It will only work for modern mail clients that support SNI and I already have a working scheme using a wildcard certificate in combination with cnames for each client.

Hello @mr-wolf , I have quoted Amazili because by reading his message, it may create a confusion talk about the webmail protection with Letsencrypt and the current missing feature of IMAP/POP/SMTP server Let'sEncrypt configuration with SNI support.
I have no doubt about his knowledge on this subject by reading his previous post, it was only to avoid confusion between mail server protection with LE, currently limited to a single certificate for a server, and the webmail protection for each domain, now available in Plesk.

 

[AmaZili Communication]

@virtubox , @mr-wolf ,

Thanks for your comments.

Just to make sure people reading this post understand the current, as of July 2017, situation :

Man CAN protect their webmail using Let's Encrypt certificate with the current Plesk add-on.
Man CANNOT protect their mail server (pop/imap/smtp) for multiple domains using the Let's Encrypt certificate on current Pesk Implementation.

And We (at AmaZili) are actively looking for a solution to use Let's Encrypt certificates for pop/Imap/smtp servers.

Again thanks for your comments and clarification.

Philippe

 

[fuf]

Just to clarify once more!

Problem: When a customer adds their email account to Thunderbird / Outlook / etc. using "mail.customer-domain.com" they receive an error: "Invalid Certificate: This certificate belongs to a different site"

There is no solution to this problem using the Plesk control panel.

There is maybe a solution (?) using the CLI by following AmaZili's instructions on page 3.

Current workaround is to tell customer to ignore the error / add an exception?

Is this correct?

 

[mr-wolf]

A real-life permanent solution that's IMHO better than the upcoming Plesk solution is using a wildcard on your mail.

If you would own fuf.com, you could buy a wildcard certificate "*.fuf.com"
Then tell all your Plesk servers to use the certificate *.fuf.com on their mail and the Plesk interface.

You would need to create a CNAME customer-domain-com.fuf.com that points to mail.customer-domain.com.
Your client needs to configure customer-domain-com.fuf.com in Thunderbird.

 

[fuf]

Thanks mr-wolf, but it's important that my customers are able to use "mail.customer-domain.com" as the mail server address for various "white label" reasons.

 

[mr-wolf]

Thanks mr-wolf, but it's important that my customers are able to use "mail.customer-domain.com" as the mail server address for various "white label" reasons.

I have been using that scheme for years and stopped for a reason.
Maybe Thunderbird handles that "exception" in a proper way, but I know Apple doesn't.
Whenever there's some change in the certificate, even a normal renewal, it loses that exception rule all of a sudden. Sometimes several weeks after the change.

Furthermore you'll be getting all kind of questions from your clients. The answers you'll be giving will often leave them uncertain of your abilities (ignore that warning, just click ok).
Microsoft Outlook users will always get a warning when they start their client. You will probably need to tell them to use a plain connection.
Using a plain connection with passwords is not possible with the modern settings of Postfix. So you need to change that too.

I also have a working autodiscovery that matches my scheme (using Nginx & PHP).
The CNAMES are automatically created on my DNS-server.