Question mail certificate/host best practice

[FYI]

Server operating system version

Ubuntu 22.04

Plesk version and microupdate number

18.0.50

Hey guys,

when i'm securing the mail server with the lets encrypt certificate for my hostname, i have questions about dns-template and mailserver usage best practice.

1. The LE hostname-certificate just contains the hostname if im thinking correct
2. would it be better to change the dns template mx record to the hostname, so the certificate is valid for the mx?
3. if i would do this, i can safely remove the mail A/AAAA record from the dns template? (but needed on host-domain zone?)
4. if i would do this, everybody needs to setup his email clients with the hostname as imap/smtp server, correct?
5. if i would do this, does dkim and spf still work for all domains or does i need to change anything there?
6. Is there another smarter solution?

Best regards
FYI

 

[scsa20]

Plesk has a built in feature to secure email access with the LE certificate so there's no need to use just one host name. When requesting for a certificate, you will be given options to choose, one of which is to assign the certificate to the mail domain which includes IMAP, POP, and SMTP, on top of Webmail.

As for answering the questions themselves:

The LE hostname-certificate just contains the hostname if im thinking correct

Certificates are usually always domain name based (yourdomain.tld or some.domain.tld) so ye, guess you could say it's "hostname" based although I wouldn't say that since it could get confusing if you don't understand the correct terms.

Basically, when we're talking hostnames, it could be 1 of 3 things:
1) The name of the computer/device/whatever
-- This is usually the name that is set and what you see when you SSH, this can be in a form of, say HOSTNAME or HOSTNAME.local or any other combo
2) The tld (although we usually just call this the domain)
or
3) The subdomain (subdomain.yourdomain.tld)

So ye, like I said, can get confusing.

But the thing is, if we're talking about the hostname as option 2 (aka the domain name), you could request a wildcard certificate to cover all subdomains which is what I would recommend doing

would it be better to change the dns template mx record to the hostname, so the certificate is valid for the mx?

You will always need some sort of MX record so the email knows how to get routed. Honestly the best way of doing it is to just keep the current DNS template alone (see my very first message at the start of the post) since it'll be less of a headache to get it to work properly without getting emails flagged for spam because it came from a different domain.

if i would do this, i can safely remove the mail A/AAAA record from the dns template? (but needed on host-domain zone?)

Technically speaking yes, but like I mention above, I wouldn't recommend it.

if i would do this, everybody needs to setup his email clients with the hostname as imap/smtp server, correct?

Yes they would need to use the main domain if you go this route.

if i would do this, does dkim and spf still work for all domains or does i need to change anything there?

This is the complicated part. You would need to configure DKIM and SPF accordingly, why I recommend just leaving default template alone and just keep each domain's configuration separate, less headaches.

Is there another smarter solution?

See the very start of my post for the smarter solution.

 

[scsa20]

Here's some additional resources that could help you:

Securing Connections with the SSL It! Extension

Watch the video tutorial The SSL It! extension offers a single interface for keeping your websites secured with SSL/...

docs.plesk.com

DKIM, SPF, and DMARC Protection and ARC Support

Plesk supports modern anti-spam mechanisms used to validate the identity of mail senders. Namely, DKIM, SPF, DMARC, and ARC.

docs.plesk.com

 

[FYI]

So for the explanation:
I have a domain, which i only uses for the hostnames (p1.domain.tld = plesk server, ns1.domain.tld = ns1 server, ns2.domain.tld = ns2 server). To do so, i setup the 3 named servers with that hostnames.

So Plesk webinterface is available at p1.domain.tld, cause i added this domain (the needed dns zone itself, just added the p1 A/AAAA record and changed the records for ns1 and ns2 A/AAAA/NS to ns1.domain.tld and ns2.domain.tld and their ipv4/ipv6 addresses), which i use just for the hostnames to resolve, to plesk as domain in my service-provider abonement. Then i got to the SSL/TLS settings and created a LE certificate for p1.domain.tld and choosed that to secure plesk login and mailserver.

Later there getting domains from myself and some customers.

The question behind that:
When i dont edit the dns template as you said and someone adds his domain for example domain2.tld and uses his own imap.domain2.tld and smtp.domain2.tld as IMAP/SMTP server when setting up a client - wouldnt be the LE certificate not marked as insecure, cause its the one which i created for p1.domain.tld?

 

[FYI]

Ahhhhh....i think i see.... Everybody thats adding a domain, can choose to secure HIS domain with the lets encrypt certificate. So the server uses the certificate for the hostname and plesk login and each domain has its own certificate - correct?

 

[scsa20]

Correct, each domain will have their own certificates. Your panel login URL (the one you do through Tools & Settings > SSL/TLS Certificates > Certificate for securing Plesk) is completely separated from everything else because of how it's configured through the virtual hosts settings.

If this is your first time doing any kind of hosting or have never used virtual hosts before, I would suggest doing some research on virtual hosts to get a better understanding. The help docs on docs.plesk.com is full of information as well.

But the gist of it is, each domain has a virtual host created with the configs stored in a location, the virtual host structure on linux is located here. The configurations defines how to connect to different parts of the host such as where the error pages should be directed to, what's the mail configuration, etc, this also includes what certificates to be used. This is how you are allowed to run multiple domains on 1 IP address because of virtual hosts, without virtual hosts it makes it harder to do just that.

Hope this helps answered your questions.

 

[veliseremet]

Hi,

My certificate is totally fine and it's saying connection is secure but when I am typing the "mail.myhostame.com" it's coming up plesk login panel. Why? How can I block it?