• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Mail Certificates: An interesting puzzle

Jay Versluis

Jay Versluis

Regular Pleskian
Hello all,

I was working on a Plesk 12.5 server running CentOS 6.7 yesterday. I’ve patched the mail certificates for Courier as outlined in the KB article (https://kb.odin.com/en/1062). This has worked flawlessly many times before on other systems, but not this time. Even though a TLS check confirms the certificates are correctly served by Plesk, every time I try to connect with an email client I get an interesting phenomenon:
  • when I connect with mail.domain.com, a self-signed certificate is returned. This shouldn’t happen, because I’ve overwritten them all.
  • however, when I connect with domain.com instead, my correctly patched certificate is returned
The certificate is for mail.domain.com, so I’d like mail.domain.com to return said certificate. I'm puzzled because I don't understand where the self-signed certificate comes from. How can Plesk return two different certificates?

mail.domain.com and domain.com resolve to the same IP of course, just thought I'd mention it.
 
Hello Jay,

I hope you don't have a subscription / domain mail.domain.com created on your server through Plesk, do you?
 
Hello abdi! Good call, there's no domain, subscription or subdomain mail.domain.com, but in my testing I have set one up to see if that makes a difference. It did not, I got the same behaviour and subsequently deleted it again.

I've also reset the DNS settings to their defaults, just in case they were not set correctly - but no change there either.
 
Jay Versluis said:
Even though a TLS check confirms the certificates are correctly served by Plesk, every time I try to connect with an email client I get an interesting phenomenon
Click to expand...
Do you mean that checking connection to mail.domain.com with http://www.checktls.com/perl/TestReceiver.pl returns correct certificate results?
Do you have the same behaviour with other mail clients?
Have you tried to use

# plesk repair mail

for fixing this issue?
 
Hi Igor, indeed - that's the very TLS test I'm using, and it returns the correct certificate. All tests pass with flying colours.

I've tried "plesk repair mail", thanks for the tip! It didn't find any trouble. The problem persists.
 
I would suggest you contact Plesk Support Team for deep investigation this strange issue directly on your server.
 
I have an identical problem on an identical set-up (Plesk12.5 CentOS6.7). Mail clients cannot connect on ssl ports 993 or 995. Plesk repair mail doesn't change anything, TLS Receiver test says all OK except for "self-signed certificate" (it's the Plesk Parallels default certificate). SSL works fine with SMTP. I have had this issue on two servers since upgrade to 12.5.
 
You must log in or register to reply here.

Similar threads

Lenny
Resolved Seeking Assistance with API Communication Issues via SSL on Plesk
Replies
4
Views
2K
Lenny
Lenny
michaeljoseph01
Question Trouble securing both plesk and email
Replies
1
Views
1K
Kaspar
K
Y
Resolved Mail doesn't work - Help needed
Replies
7
Views
4K
naseremad
N
L
Resolved IMAP not working with STARTTLS or SSL/TLS Mailserver Dovecot Problem
Replies
3
Views
3K
lberens
L
I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
3K
iainh
I
Back
Top