• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Independent Secure E-Mail > Postfix / Dovecot MTAs > 1 Server Multiple Domains > Plesk

learning_curve

Golden Pleskian
Somebody will have already done this somewhere, we're sure...
Our setup is shown on our forum signature for reference.

Using the standard Plesk setup, certificates are created and stored to enable SSL e-mail by default. You can also secure the mail server using Let's Encrypt (as shown here) and you can change the default Postfix / Dovecot certificates (as shown here) but in all cases, we think they relate to just one domain url / name / ip address etc

We have one server with multiple domains. As we're looking forward to (hopefully) being totally TLSv1.3 soon (but still with TLSv1.2 backup for a while) we're pretty keen to solve the errors that our current setup can / may create e.g.
Code:
We can use this server
TLS is an option on this server
STARTTLS
220 2.0.0 Ready to start TLS
STARTTLS command works on this server
Connection converted to SSL
        SSLVersion in use: TLSv1_2
        Cipher in use: ECDHE-RSA-AES128-GCM-SHA256
        Certificate 1 of 3 in chain: Cert VALIDATED: ok
        Cert Hostname DOES NOT VERIFY (mail.mydomain.com != *.other.com | DNS:*.other | DNS:other)
        (see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching)
        So email is encrypted but the host is not verified
        cert not revoked by CRL
        cert not revoked by OCSP
        serialNumber= * dot *
        subject= /CN=*.other
        issuer= /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL SHA256 CA
        Certificate 2 of 3 in chain: Cert VALIDATED: ok
        cert not revoked by CRL
        cert not revoked by OCSP
        serialNumber=* dot *
        subject= /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL SHA256 CA
        issuer= /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc.
        For authorized use only/CN=GeoTrust Primary Certification Authority - G3
        Certificate 3 of 3 in chain: Cert VALIDATED: ok
        cert not revoked by CRL
        cert not revoked by OCSP
        serialNumber=* dot *
        subject= /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc.
        For authorized use only/CN=GeoTrust Primary Certification Authority - G3
        issuer= /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc.
        For authorized use only/CN=GeoTrust Primary Certification Authority - G3
That's a sanitised but true example report. The issue is the mail.mydomain.com url is on a different domain url than the one used by other.com, hence the no verification error report.

This also applies even to normal domain ssl/tls server tests where the non-verification error is reported, but isn't a big factor in the overall security rating on say Qualys.SSL etc (as all the separate certificates are all valid anyway...)

Our thoughts are...

There must already be lots and lots of people using Independent Secure E-Mail > Postfix / Dovecot MTAs > 1 Server Multiple Domains > Plesk but not having their server named as a sub-domain of one of their domains? What do you do?

1) Now that wildcard certificates are available from Let's Encrypt at no extra cost :) we should replace ALL certificates on all domains, with new Let's Encrypt wildcard certificates and then re-name the server (because it is currently named as a sub-domain of other.com ;) The reason for that being, the server itself is then covered under the Purchased GeoTrust Wildcard Certificate for the most active domain on the server. We can then issue a new certificate for the new server name itself too. This will require a lot of thought prior to carrying out the changes, but it may then solve ALL verification checks (server and e-mail) from then on... we think :p

2) Modify Postfix and Dovecot independently... This looks to be a lot more difficult o_O

If anybody has done this already / got advice on it, or the two ways we've mentioned of changing it and/or a third way which we haven't seen yet... it would be great to read your posts.
 
I don't know how good your german is...
Google Translate is not too bad, no Torschlusspanik here :cool:
...but I wrote an article how to secure mail server for each domain Plesk Onyx und der Mailserver In case of postfix you need an IP per Domain to secure them with the correct certificate.
That's a very useful and well explained guide. Thank you. Essentially, the Dovecot side looks straightforward by comparison, but the Postfix inability to resolve names only IP addresses that you mention is a setback :( We have a few IP addresses, but not one for each domain currently. Okay we'll keep investigating
 
Back
Top