• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Incorrect certificate for mail access

D

dennis_81

Basic Pleskian
Hello

I have created a new website and created a Let's Encrypt Wildcard certificate for it.
In the eMail settings of the domain I selected that this certificate should be used for webmail and SSL/TLS email. For webmail this works great. However, I cannot establish a secure connection using my mail clients.
If I connect to pop.mydomain.com (995) and smtp.mydomain.com (465) (I have created an A-record for both entries pointing to the webserveradress), I get a certificate warning because the server returns the default Plesk certificate with a different domain. If I try to connect directly to mydomain.com (pop and smtp), my mail client reports that it cannot connect to the mail server at all.

Telnet to all ports of the domain and subdomains works.

If I connect unencrypted (25 / 110) everything works without problems.

Does anyone have an idea where the error is?
Thanks for your answers.

Best regards
Dennis
 
I had this problem too.
In your e-mail client you should use mydomain.com for the POP and SMTP settings. That should work.
 
Have you added the SNI option to your SSL certificate of the domain name and have you turned SNI on in the mail settings of the domain?
 
Thank you for your answers. @Peter Debik, I think that should be configured correctly, right?

1637568993759.png

1637569071006.png

I checked maillogs and see that there might be a problem with the smtp connection, even if I connect directly to the mydomain.com.:

2021-11-22 10:15:02postfix/smtpd[1102099]disconnect from ABCD.versanet.de[1.2.3.4] commands=0/0
2021-11-22 10:15:02postfix/smtpd[1102099]lost connection after CONNECT from ABCD.versanet.de[1.2.3.4]
2021-11-22 10:15:02postfix/smtpd[1102099]SSL_accept error fromABCD.versanet.de[1.2.3.4]: lost connection
2021-11-22 10:14:02postfix/smtpd[1102099]connect from ABCD.versanet.de[1.2.3.4]

What could be the problem here?


What do I have to do if I also want the mail server to be accessible via pop.mydomain.com and smtp.mydomain.com via SSL? Or is that not possible at all?
 
I might be mistaken, but regardless of SNI support, isn't only the main domain secured for mail services as @maartenv also pointed out? I don't believe pop.mydomain.com and smtp.mydomain.com (or any other subdomain) would work. Either the main domain (mydomain.com) or your servers host name should be used when connecting to the server for email.
 
Last edited:
True, Plesk assigns a Let's Encrypt certificate based on domain.com for the email services.
On the Mail Settings tab, you'll see:

"SSL/TLS certificate for mail [Lets Encrypt domain.com]"

That's why pop.domain.com and smtp.domain.com won't work. I'm sure it's possible to create a certificate for pop/smtp but it's not worth the hassle.
Using domain.com for the FTP-host, incoming and outgoing mailserver is easier.
 
Ok thanks, I understood. Then I stay with mydomain.com. So the only question now is why I can't establish a connection via port 465?
 

Question - About ports 465 and 587

About this image: If I open port 587, will port 465 stop working? Or will both ports be available and can I use either port as needed? If I change to port 587, will I have to reconfigure my email managers later? About this picture: It will automatically change this setting and I won't have...
talk.plesk.com talk.plesk.com
 
Hi,

yes Port 465 is open and is accessible with telnet. Port 587 is closed.
i also see that a connection is being established:

2021-11-22 10:15:02postfix/smtpd[1102099]disconnect from ABCD.versanet.de[1.2.3.4] commands=0/0
2021-11-22 10:15:02postfix/smtpd[1102099]lost connection after CONNECT from ABCD.versanet.de[1.2.3.4]
2021-11-22 10:15:02postfix/smtpd[1102099]SSL_accept error fromABCD.versanet.de[1.2.3.4]: lost connection
2021-11-22 10:14:02postfix/smtpd[1102099]connect from ABCD.versanet.de[1.2.3.4]
 
What's the output of
# openssl s_client -connect <same domain that you are using in your email client>:465
?
 
Code: 
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mydomain.com
verify return:1
---
Certificate chain
 0 s:CN = mydomain.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = mydomain.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4690 bytes and written 399 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0...

    Start Time: 1637591199
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
 
There is no issue on your server.

Please go back into your client configuration. Carefully verify that mydomain.com is used as the incoming AND outgoing mail server. There must not be an addendum, e.g. a prefix or postfix to it like "pop3...." or "smtp...." etc. Only mydomain.com.
 
Thanks Peter,

that is strange. From some clients it works. On one I had to select port 25 with SSL. I can't quite figure it out yet, but basically it seems to work at least. Thanks.
 
You must log in or register to reply here.

Similar threads

P
Resolved PLESK 18.0.60 Problems to configure mails / Certificates, etc.
Replies
8
Views
832
mow
M
P
Issue Certificate problem in Plesk
Replies
5
Views
384
Raul A.
R
M
Resolved Lets Encrypt not issuing certs for subdomains
Replies
2
Views
352
mendip_discovery
M
R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
986
tessa67
T
S
Question Mail subdomains with wrong TLS certificate (e.g. imap.example.tld)
Replies
1
Views
580
Kaspar
K
Back
Top