• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question mail certificate/host best practice

F

FYI

Basic Pleskian
Server operating system version
Ubuntu 22.04
Plesk version and microupdate number
18.0.50
Hey guys,

when i'm securing the mail server with the lets encrypt certificate for my hostname, i have questions about dns-template and mailserver usage best practice.

  1. The LE hostname-certificate just contains the hostname if im thinking correct
  2. would it be better to change the dns template mx record to the hostname, so the certificate is valid for the mx?
  3. if i would do this, i can safely remove the mail A/AAAA record from the dns template? (but needed on host-domain zone?)
  4. if i would do this, everybody needs to setup his email clients with the hostname as imap/smtp server, correct?
  5. if i would do this, does dkim and spf still work for all domains or does i need to change anything there?
  6. Is there another smarter solution?

Best regards
FYI
 
Plesk has a built in feature to secure email access with the LE certificate so there's no need to use just one host name. When requesting for a certificate, you will be given options to choose, one of which is to assign the certificate to the mail domain which includes IMAP, POP, and SMTP, on top of Webmail.

As for answering the questions themselves:
FYI said:
The LE hostname-certificate just contains the hostname if im thinking correct
Click to expand...
Certificates are usually always domain name based (yourdomain.tld or some.domain.tld) so ye, guess you could say it's "hostname" based although I wouldn't say that since it could get confusing if you don't understand the correct terms.

Basically, when we're talking hostnames, it could be 1 of 3 things:
1) The name of the computer/device/whatever
-- This is usually the name that is set and what you see when you SSH, this can be in a form of, say HOSTNAME or HOSTNAME.local or any other combo
2) The tld (although we usually just call this the domain)
or
3) The subdomain (subdomain.yourdomain.tld)

So ye, like I said, can get confusing.

But the thing is, if we're talking about the hostname as option 2 (aka the domain name), you could request a wildcard certificate to cover all subdomains which is what I would recommend doing
FYI said:
would it be better to change the dns template mx record to the hostname, so the certificate is valid for the mx?
Click to expand...
You will always need some sort of MX record so the email knows how to get routed. Honestly the best way of doing it is to just keep the current DNS template alone (see my very first message at the start of the post) since it'll be less of a headache to get it to work properly without getting emails flagged for spam because it came from a different domain.
FYI said:
if i would do this, i can safely remove the mail A/AAAA record from the dns template? (but needed on host-domain zone?)
Click to expand...
Technically speaking yes, but like I mention above, I wouldn't recommend it.
FYI said:
if i would do this, everybody needs to setup his email clients with the hostname as imap/smtp server, correct?
Click to expand...
Yes they would need to use the main domain if you go this route.
FYI said:
if i would do this, does dkim and spf still work for all domains or does i need to change anything there?
Click to expand...
This is the complicated part. You would need to configure DKIM and SPF accordingly, why I recommend just leaving default template alone and just keep each domain's configuration separate, less headaches.
FYI said:
Is there another smarter solution?
Click to expand...
See the very start of my post for the smarter solution.
 
So for the explanation:
I have a domain, which i only uses for the hostnames (p1.domain.tld = plesk server, ns1.domain.tld = ns1 server, ns2.domain.tld = ns2 server). To do so, i setup the 3 named servers with that hostnames.

So Plesk webinterface is available at p1.domain.tld, cause i added this domain (the needed dns zone itself, just added the p1 A/AAAA record and changed the records for ns1 and ns2 A/AAAA/NS to ns1.domain.tld and ns2.domain.tld and their ipv4/ipv6 addresses), which i use just for the hostnames to resolve, to plesk as domain in my service-provider abonement. Then i got to the SSL/TLS settings and created a LE certificate for p1.domain.tld and choosed that to secure plesk login and mailserver.

Later there getting domains from myself and some customers.

The question behind that:
When i dont edit the dns template as you said and someone adds his domain for example domain2.tld and uses his own imap.domain2.tld and smtp.domain2.tld as IMAP/SMTP server when setting up a client - wouldnt be the LE certificate not marked as insecure, cause its the one which i created for p1.domain.tld?
 
Ahhhhh....i think i see.... Everybody thats adding a domain, can choose to secure HIS domain with the lets encrypt certificate. So the server uses the certificate for the hostname and plesk login and each domain has its own certificate - correct?
 
Correct, each domain will have their own certificates. Your panel login URL (the one you do through Tools & Settings > SSL/TLS Certificates > Certificate for securing Plesk) is completely separated from everything else because of how it's configured through the virtual hosts settings.

If this is your first time doing any kind of hosting or have never used virtual hosts before, I would suggest doing some research on virtual hosts to get a better understanding. The help docs on docs.plesk.com is full of information as well.

But the gist of it is, each domain has a virtual host created with the configs stored in a location, the virtual host structure on linux is located here. The configurations defines how to connect to different parts of the host such as where the error pages should be directed to, what's the mail configuration, etc, this also includes what certificates to be used. This is how you are allowed to run multiple domains on 1 IP address because of virtual hosts, without virtual hosts it makes it harder to do just that.

Hope this helps answered your questions.
 
  • Like
Reactions: FYI
Hi,

My certificate is totally fine and it's saying connection is secure but when I am typing the "mail.myhostame.com" it's coming up plesk login panel. Why? How can I block it?
 
You must log in or register to reply here.

Similar threads

L
Question Which domain mail server should I use ?
Replies
2
Views
286
LaurentR2D2
L
Fabian H
Question Best practice email setup
Replies
4
Views
1K
Kaspar
K
E
Issue Several understanding errors in my postfix
Replies
4
Views
4K
estanis
E
P
Issue Certificate problem in Plesk
Replies
5
Views
339
Raul A.
R
E
Resolved Need Help configuring server records for my domain
Replies
5
Views
1K
eggih
E
Back
Top