• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Issue Incorrect certificate for mail access

D

dennis_81

Basic Pleskian
Hello

I have created a new website and created a Let's Encrypt Wildcard certificate for it.
In the eMail settings of the domain I selected that this certificate should be used for webmail and SSL/TLS email. For webmail this works great. However, I cannot establish a secure connection using my mail clients.
If I connect to pop.mydomain.com (995) and smtp.mydomain.com (465) (I have created an A-record for both entries pointing to the webserveradress), I get a certificate warning because the server returns the default Plesk certificate with a different domain. If I try to connect directly to mydomain.com (pop and smtp), my mail client reports that it cannot connect to the mail server at all.

Telnet to all ports of the domain and subdomains works.

If I connect unencrypted (25 / 110) everything works without problems.

Does anyone have an idea where the error is?
Thanks for your answers.

Best regards
Dennis
 
I had this problem too.
In your e-mail client you should use mydomain.com for the POP and SMTP settings. That should work.
 
Have you added the SNI option to your SSL certificate of the domain name and have you turned SNI on in the mail settings of the domain?
 
Thank you for your answers. @Peter Debik, I think that should be configured correctly, right?

1637568993759.png

1637569071006.png

I checked maillogs and see that there might be a problem with the smtp connection, even if I connect directly to the mydomain.com.:

2021-11-22 10:15:02postfix/smtpd[1102099]disconnect from ABCD.versanet.de[1.2.3.4] commands=0/0
2021-11-22 10:15:02postfix/smtpd[1102099]lost connection after CONNECT from ABCD.versanet.de[1.2.3.4]
2021-11-22 10:15:02postfix/smtpd[1102099]SSL_accept error fromABCD.versanet.de[1.2.3.4]: lost connection
2021-11-22 10:14:02postfix/smtpd[1102099]connect from ABCD.versanet.de[1.2.3.4]

What could be the problem here?


What do I have to do if I also want the mail server to be accessible via pop.mydomain.com and smtp.mydomain.com via SSL? Or is that not possible at all?
 
I might be mistaken, but regardless of SNI support, isn't only the main domain secured for mail services as @maartenv also pointed out? I don't believe pop.mydomain.com and smtp.mydomain.com (or any other subdomain) would work. Either the main domain (mydomain.com) or your servers host name should be used when connecting to the server for email.
 
Last edited:
True, Plesk assigns a Let's Encrypt certificate based on domain.com for the email services.
On the Mail Settings tab, you'll see:

"SSL/TLS certificate for mail [Lets Encrypt domain.com]"

That's why pop.domain.com and smtp.domain.com won't work. I'm sure it's possible to create a certificate for pop/smtp but it's not worth the hassle.
Using domain.com for the FTP-host, incoming and outgoing mailserver is easier.
 
Ok thanks, I understood. Then I stay with mydomain.com. So the only question now is why I can't establish a connection via port 465?
 

Question - About ports 465 and 587

About this image: If I open port 587, will port 465 stop working? Or will both ports be available and can I use either port as needed? If I change to port 587, will I have to reconfigure my email managers later? About this picture: It will automatically change this setting and I won't have...
talk.plesk.com talk.plesk.com
 
Hi,

yes Port 465 is open and is accessible with telnet. Port 587 is closed.
i also see that a connection is being established:

2021-11-22 10:15:02postfix/smtpd[1102099]disconnect from ABCD.versanet.de[1.2.3.4] commands=0/0
2021-11-22 10:15:02postfix/smtpd[1102099]lost connection after CONNECT from ABCD.versanet.de[1.2.3.4]
2021-11-22 10:15:02postfix/smtpd[1102099]SSL_accept error fromABCD.versanet.de[1.2.3.4]: lost connection
2021-11-22 10:14:02postfix/smtpd[1102099]connect from ABCD.versanet.de[1.2.3.4]
 
What's the output of
# openssl s_client -connect <same domain that you are using in your email client>:465
?
 
Code: 
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mydomain.com
verify return:1
---
Certificate chain
 0 s:CN = mydomain.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = mydomain.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4690 bytes and written 399 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0...

    Start Time: 1637591199
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
 
There is no issue on your server.

Please go back into your client configuration. Carefully verify that mydomain.com is used as the incoming AND outgoing mail server. There must not be an addendum, e.g. a prefix or postfix to it like "pop3...." or "smtp...." etc. Only mydomain.com.
 
Thanks Peter,

that is strange. From some clients it works. On one I had to select port 25 with SSL. I can't quite figure it out yet, but basically it seems to work at least. Thanks.
 
You must log in or register to reply here.

Similar threads

S
Question Mail subdomains with wrong TLS certificate (e.g. imap.example.tld)
Replies
1
Views
283
Kaspar
K
carlsson
Issue Adding mail account to a device takes forever!?
Replies
1
Views
221
Peter Debik
P
futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
358
futureweb
futureweb
carlsson
Issue Mail on Plesk, web on other provider, how do I create a correct SSL?
Replies
2
Views
185
carlsson
carlsson
P
Resolved Postfix gives wrong certificate
Replies
15
Views
4K
AYamshanov
AYamshanov
Back
Top