Resolved How to secure mail of domain with Lets Encrypt

[fuf]

Yes agreed I certainly wasn't suggesting that asking clients to add a security suggestion should be a permanent solution.

But I am hoping that there is another solution on the horizon that will allow clients to use mail.customerdomain.com with a valid certificate? That would be the ideal solution for me and presumably most others.

 

[mr-wolf]

Yes agreed I certainly wasn't suggesting that asking clients to add a security suggestion should be a permanent solution.

But I am hoping that there is another solution on the horizon that will allow clients to use mail.customerdomain.com with a valid certificate? That would be the ideal solution for me and presumably most others.

No, not ideal either.
Many mail clients do NOT support SNI and will keep throwing that same message.

 

[fuf]

No, not ideal either.
Many mail clients do NOT support SNI and will keep throwing that same message.

Ah ok, I understand now I think.

In that case maybe best for me to give up on having clients use their own domain in the host address and just get them to use the address of the general server cert I have set in the "Certificate for securing mail" option in Plesk.

 

[mr-wolf]

You can blame the industry for not supporting SNI when they could.
It's one big mess now and it will stay that way for some years.

Microsoft doesn't care about IMAP. The more bad press it gets the better for them.

 

[ioweb.gr]

I'd like to add what I did to this thread because I've been looking myself for a solution using let's encrypt and PLESK and this thread pops up first. Basically since it's becoming a bit confusing reading all the posts from the start to here I'd like to clarify my process.

If you're using Postfix as mail server you're definitely not able to use SNI or multiple certificates since it doesn't support either. Therefore you have to issue a single certificate which contains multiple domains also known as SAN certificate.

SAN Certificates are supported by let's encrypt for up to 100 domains.

As a test case I tried it on my server using Debian 8

The steps I followed:

1. Install certbot utility from the jessie-backports
2. Create the following subdomains on PLESK. "mail.domain1.com" "mail.domain2.com"

Assuming you use default paths for webroot folders
3. Using certbot then

certbot certonly --email "[email protected]" --webroot -w /var/www/vhosts/domain1.com/mail.domain1.com -d mail.domain1.com \
-w /var/www/vhosts/domain2.com/mail.domain2.com -d mail.domain2.com \

This will create certificates in /etc/letsencrypt/live/mail.domain1.com folder

The certificates here are self explanatory but they're valid for both domains mail.domain1.com and mail.domain2.com

4. Using plesk you can go to Tools & Settings -> SSL/TLS Certificates -> Add -> Upload certificate from text and copy paste the certificates accordingly.

5. Set this certificate as mail server certificate.

Connect via email client and it works without any nags.

The catch is that this is not automated and you need to create a subdomain for each mail.domain.com record you need. I'm currently in the process of searching for a way to redirect all requests for mail.* from nginx or apache to the default server domain via a rule so I can avoid the creation alltogether as let's encrypt only needs the path declared as webroot to be accessible via the internet to verify the challenge.

Of course since it's not integrated with Plesk you need to renew manually and update whenever you add a domain so it's not suited for automated hosting providers.

I'd appreciate any ideas on how to make the redirection

 

[mr-wolf]

I think "my system" is more elegant.
I have a wildcard on all my plesk servers and I automatically create a CNAME for each mail client in the wolf.com zone....
Only once a year I have to worry about certificates (that's next week).

A monitoring system checks certificates on each server. Luckily I don't have to check the certificate for each and every domain nor do I have to rely on some renewal process that sometimes goes wrong. I can see more downsides than upside.... If they host their domain with google it will be imap.gmail.com

The only "downsides" of my system is that I have to pay some money for a wildcard certificate and that our clients will have "wolf.com" in their host names.....
The latter can also be explained as an upside.

If you would be a client of mine with the domain ioweb.gr a script on my DNS-server would create a CNAME ioweb-gr.wolf.com. which would point to mail.ioweb.gr.
I would tell you to use ioweb-gr.wolf.com. in your mail program and that would always match *.wolf.com.

Only 1 certificate to worry about across all the Plesk servers.
An autoconfiguration system on all my Plesk servers lets some mail clients (Outlook & Thunderbird) discover the correct settings automatically. For that a wildcard certificate is needed as well.

 

[ioweb.gr]

Yes that's indeed a very nice solution. I read about it in earlier posts. But I tried to give an answer if anyone wanted to use the free let's encrypt ssls as it is. However your solution will be very nice as soon as let's encrypt starts to issue wildcard ssls as well. I think it's supposed to be Jan 2018.

 

[sergiomb]

I'd like to add what I did to this thread because I've been looking myself for a solution using let's encrypt and PLESK and this thread pops up first. Basically since it's becoming a bit confusing reading all the posts from the start to here I'd like to clarify my process.

If you're using Postfix as mail server you're definitely not able to use SNI or multiple certificates since it doesn't support either. Therefore you have to issue a single certificate which contains multiple domains also known as SAN certificate.

SAN Certificates are supported by let's encrypt for up to 100 domains.

Very good point almost solve the problem , but not solved yet , just need automate it .
One question as I use webmail domain for webmail and letsencript challenge https://webmail.mydomain.com/.well-known/acme-challenge/ may we also use this domain to SAN Certificate ?

 

[ioweb.gr]

I don't see why you can't. As long as you can provide the correct webroot for the acme-challenge to be accessible. As I said I'm in search of a way to properly redirect nginx from any mail.domain* to a single domain path for example "letsencrypt.myserver.com" so I can stop the need for subdomains creation.

However If you wanted to automate it with what I've tested so far I can think of using a default domain for the server IP on Plesk so you can do the following

certbot certonly --email "[email protected]" --webroot -w /var/www/vhosts/maindomain.com/ -d maindomain.com -d mail.domain2.com -d mail.domain3.com

This will cause the acme challenge to be created in the main domain and when let's encrypt tries to verify it, it will check for example

http://mail.domain2.com/.well-known/acme-challenge

http://mail.domain3.com/.well-known/acme-challenge

Since this domain won't exist on the server, it will get redirected to

http://maindomain.com/.well-known/acme-challenge

which exists and is the webroot for your challenge. Afterwards you can automate generation of the certificates with a cron job and a bash script which will read your domains and then build the certbot command.

The only thing after that would be how to add the newly generated certificate as Mail Server certificate via CLI.

--

As an alternative you can wait until 27th February until Let's encrypt starts issuing wildcard certificates and implement the wildcard method @mr-wolf proposed in How to secure mail of domain with Lets Encrypt

This also requires manual work to add the dns zones though for each domain you add.