Let’s Encrypt WebMail

[Rayzor]

Jup, tried it with Plesk Version 17.0.17 Update #13 with the Lets Encrypt-Extension Version 1.9 Release 3 on CentOS 7. :^)

Well maybe you missed a step I don't know. did you manually added webmail.toplevel.tld in dns. Anyway I got it working by doing exactly those steps I listed.

 

[maltris]

In order to prove that the following does not work, I tried to follow the workarounds instructions with an testing-domain and made a screencapture from it.

Edit: Regarding the question about the dns-settings for the webmail.domain.tld-subdomain: Yes, an A/AAAA-record has been set before the action.

The workaround solution is :
Select option webmail "None"
Create subdomain webmail
Create Let's Encrypt certificate
Delete subdomain
Select webmail software
Select webmail certificate
et Voila

The video can be foud here: https://maltris.org/wp-content/uploads/2017/01/plesk.webm
Note: In case that you are a future visitor and the video is not available anymore, feel free to contact me so I can update the link or supply you with the video.

 

[Rayzor]

In order to prove that the following does not work, I tried to follow the workarounds instructions with an testing-domain and made a screencapture from it.

Edit: Regarding the question about the dns-settings for the webmail.domain.tld-subdomain: Yes, an A/AAAA-record has been set before the action.



The video can be foud here: https://maltris.org/wp-content/uploads/2017/01/plesk.webm
Note: In case that you are a future visitor and the video is not available anymore, feel free to contact me so I can update the link or supply you with the video.

1st of all the dns setting should be added after the subdomain has been deleted, since deleting the subdomain will update dns and remove the dns setting for that domain.
2nd You can also export the certificate after its creation and import it back when ready to select webmail software and certificate when enabling webmail just to make sure that its there when you need it.
3rd I don't understand why you are so keen to prove me wrong and want to go the extra mile to advise others not to try it.
I have done this more than 5 times already and for me it works. Why it doesn't work for you? Like I said I don't know. I tried to help out with the info you provided and if you want to I can still help you figure out why it's not working.
But as this is not helping anyone I would say contact me or leave it be.
For anyone who like to try this workaround and gets stuck I have no problem helping out a fellow sysadmin.
And last but not least here are 3 domains with my workaround the last one I have just finished implementing. webmail.xs2hosting.eu, webmail.fmluxury.store and webmail.palazze.com

 

[maltris]

1st of all the dns setting should be added after the subdomain has been deleted, since deleting the subdomain will update dns and remove the dns setting for that domain.

Since I dont use Plesk's DNS-feature, the stage in which I added the records does not really matter.

2nd You can also export the certificate after its creation and import it back when ready to select webmail software and certificate when enabling webmail just to make sure that its there when you need it.

That is a great idea.

• After creating the Lets Encrypt-certificate of the subdomain you can download its PEM-Bundle
• Now the subdomain can be deleted (in fact it has to be deleted, because otherwise the webmail-application cannot be activated)
• In order to be able to add the certificate (and its corresponding key and ca-certificate) it needs to be split up in those three chunks (separatores in the PEM-Bundle tell you where to split, look for "BEGIN" and "END")
• Then either you add the chunks via the forms or upload the three files (.key, .crt, -ca.crt) at the page "Add SSL/TLS certificate" of the main domain
• After that procedure the webmail can be secured with the re-imported certificate

3rd I don't understand why you are so keen to prove me wrong and want to go the extra mile to advise others not to try it.

My goal was never to invalidate your suggestion without any reason.

 

[Petr Vonka]

Works perfectly, thanks Rayzor !

 

[Daniel Willitzer]

Question, so from my understanding after creating the subdomain, gathering the certificate and removing that subdomain.
Do I need to repeat this process every 90 days for letsencrypt?

 

[UFHH01]

Hi Daniel Willitzer,

Do I need to repeat this process every 90 days for letsencrypt?

if the actual "Plesk Let's Encrypt Extension" wouldn't be updated/upgraded ( which is pretty soon, as announced by Plesk-Team-Members! ), then the answer would be: Yes.
BUT ( !!! ), we are all enthusiastic and with lots of confidence, that the next update/upgrade of the "Plesk Let's Encrypt Extension" will step out of it's kid shoes and the new ones should fit the feet much, much better then!

 

[NateWon]

Hello,

Provided Plesk doesn't override the settings for whatever reason, I would expect creating and renewing the certificate should be highly achieveable through NGINX. When the acme challenge is encountered requests would be served to the temp certbot server.

Very new to NGINX as a Proxy but would expect this to work and allow for autorenewals and instantiation. I do something similar with Varnish and Pound on other setups.
Some notes here about switching, havn't had time to test but will keep looking into it.
https://gist.github.com/soheilhy/8b94347ff8336d971ad0

Then I would expect the only issue to be adding webmail.domain.com, mail.domain.com variations to the lets encrypt scripts/templates and it should work well?

Has anyone tried this?

 

[Comando]

Any news about automated securing webmail subodmain for email?

 

[NateWon]

Hello,

Provided Plesk doesn't override the settings for whatever reason, I would expect creating and renewing the certificate should be highly achieveable through NGINX. When the acme challenge is encountered requests would be served to the temp certbot server.

Very new to NGINX as a Proxy but would expect this to work and allow for autorenewals and instantiation. I do something similar with Varnish and Pound on other setups.
Some notes here about switching, havn't had time to test but will keep looking into it.
How to proxy web apps using nginx? · GitHub

Then I would expect the only issue to be adding webmail.domain.com, mail.domain.com variations to the lets encrypt scripts/templates and it should work well?

Has anyone tried this?

Ok, Ive done webmail using pound on an external proxy which terminates with SSL (Pound+Varnish+Letsencrypt). Was very easy to do using roundcube which looks to work perfectly without any config for an SSL connection don't have enough spare time right now to workout how to forward the mail connections through a proxy to keep the server safe. So for mail.domain.com Ive got this hitting the server/s and installed certbot-auto (varied from these instructions How To Secure Apache with Let's Encrypt on Ubuntu 14.04 | DigitalOcean) I'm using ubuntu 16.xxx

If you run the call as a standalone version and bind to port 8000 then this should work easily for ANY webmail.* and mail.* if desired. Provided Plesk doesn't wipe the record you can insert a new config file into /etc/nginx/conf.d/mymail.conf if you wanted this globally I would recommend adding in some wild cards for webmail.* and mail.* (First time tweaking NGINX but google will answer that in a minute or two)

server {
listen 10.0.0.4:80;
server_name "mail.domain.com"; /*wild card should be possible here webmail. and same for mail.**/

location ^~ /.well-known/acme-challenge/ {
proxy_pass http://10.0.0.4:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

Reload
service nginx reload

Then call certbot
certbot-auto certonly --standalone --agree-tos --domains mail.domain.com,webmail.domain.com --email [email protected] --preferred-challenges http-01 --http-01-port 8000 --renew-by-default --rsa-key-size 4096

and it should work no problem as it does for me, then you simply need to make sure you have the ability to renew, or better a script checking this for you periodically, when needed certbot-auto renew will parse the files and run the renewals still double checking that the renew command will invoke the settings desired :8000 standalone.

Then set the desired certificates up against postfix, dovecot as needed. Postfix and Dovecot on Ubuntu with a Lets Encrypt SSL Certificate

Hope that helps someone,

 

[Brujo]

I am on Plesk Onyx Version 17.0.17 Update #24 and switched off webmail (none) for a particular domain, but I fail when I like to add the subdomain webmail.mydomain.de

Error Message: Incorrect subdomain name webmail.mydomain.de: this domain name is used for accessing webmail under the domain

any Idea

 

[Catbodi]

I understand the issues listed in the thread but can any Plesk admin or developers give some kind of ETA as to when they'll have an update available that will fix this? Webmail with broken SSL is kinda a huge deal... especially for clients.

 

[Bitpalast]

I have heard that developers are still in the making of the Let's Encrypt webmail-subdomain solution. We need to be patient. Plesk is a complex system, it's not that easy to make changes to domain configurations. Consider that this needs thorough testing, too.

 

[UFHH01]

Hi Catbodi,

perhaps the Plesk Community Manager @Viktor Vogel could help to answer your questions.

At the current moment, the work-arounds are just additional possibilities, how to implement "webmail" - certificates with the Plesk Let's Encrypt extension. The current work-arounds are only suggestions and should not be seen as "official" from Plesk. The usage is certainly "on your own risk".