Question Let's Encrypt support for mail.domain.tld

[Tomas Garcia Ferrari]

What would be the recommended way of adding support of the subdomain mail.domain.tld, so our mail clients do not receive a message saying that there is a hostname mismatch?

At the moment, our Plesk server is sending the certificate for the first installed domain to the mail clients.

 

[Tomas Garcia Ferrari]

I found on GitHub the Plesk-Mail-LetsEcrypt script. The method proposed there is using the Subject Alternative Name (SAN) mechanism (available from Let's Encrypt).

It captures all the domains and adds them using this:

/usr/local/psa/bin/extension --exec letsencrypt cli.php --secure-plesk -w "/var/www/vhosts/domain.tld/httpdocs" -m "[email protected]" -d domain.tld -d www.domain.tld -d mail.domain.tld -d mail.domain-1.tld -d mail.domain-2.tld -d mail.domain-3.tld

Up to 100 alternative names can be added. Then it's just a matter of pointing the certificate to the mail server

Tools & Settings > SSL/TLS Certificates > Certificate for securing mail

Is there any caveat on this method? (for servers with less than 100 domains) Shouldn't this be supported directly from Plesk?

 

[Brujo]

At the moment, our Plesk server is sending the certificate for the first installed domain to the mail clients.

go to Plesk Panel > Tools Settings > SSL/TLS Certificates > Certificate for securing mail - here you can select one

How to secure mail server with Let's Encrypt certificate

Is there any caveat on this method? (for servers with less than 100 domains)

Most certificate authorities cap the number of domains on a single cert anywhere from 25 to 100 and there is also a limit on the Cert size and perhaps it might have an performance issue. So what can happend is, some of your clients might have trouble connecting to your server.. So if you are experienced just use the script.

see for example
Rate Limits - Let's Encrypt - Free SSL/TLS Certificates
Resolved - Domain with 100 domains alias: Let's encrypt problem
Ideal number of domains in one single certificate

Shouldn't this be supported directly from Plesk?

Well afaik there was a Uservoice about it and since there is a limit it will not work for several customers...
Well others on the forum do it in another way and point the dns entry of the mail.domain.tld of all domains to a specified mailserver name on the plesk server and secure it with an certificate.

 

[Tomas Garcia Ferrari]

In my case, it shouldn't be a big problem as I am not dealing with 100s of domains.

Well others on the forum do it in another way and point the dns entry of the mail.domain.tld of all domains to a specified mailserver name on the plesk server and secure it with an certificate.

Can you point to some articles explaining this method? Is this just done at the DNS level?