1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Mail SSL

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by CJZ, Jan 2, 2012.

  1. CJZ

    CJZ Basic Pleskian

    14
    85%
    Joined:
    Apr 27, 2011
    Messages:
    38
    Likes Received:
    0
    Currently (base install) my mail server is using the Plesk default SSL certificate. I have applied my own personal certificate to the sites (which apparently does not get applied to mail server).

    How can I apply my certificate to courrior-imap and postfix?

    Thanks.
     
  2. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    have a look here: http://kb.parallels.com/en/1062

    Note the following though:

    It seems to me that this is requested quite often, so it would be nice to see a way to select one of the SSL certificates already installed for http via the GUI and have it applied to imap, smtp and pop3. We'll have to add it as a feature request.
     
    Last edited: Jan 2, 2012
  3. JustinGivens

    JustinGivens Basic Pleskian

    15
    85%
    Joined:
    Dec 31, 2011
    Messages:
    60
    Likes Received:
    0
    Let say I set the new SSL cert (following KB 1062) to my maindomain.tld but then all my clients will get an error because it doesn't match their domain.... Agggg

    So how can I get my clients from getting a Certificate error when connecting to mail.clientdomain.tld while using IMAP-SSL?

    Outlook 2007 and Outlook 2010 won't connect to the IMAP server without using SSL!¿!¿
     
  4. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    Well, it is all a metter of how you sell it to them.

    Basically, you can just tell them to set their IMAP server address to mydomain.tld. From their point of view, it is just a setting, like anything else. They know their hosting account is with you, so there should be no problem with them using that domain.

    You could, of course, register a special domain (e.g. generic-imap-server.com) and purchase and install a certificate for that if you wanted to be more generic and hide your company name. Again it is just a setting.

    Are you absolutely sure about Outlook? We've never, ever bothered with a certificate for email (we've been hosting using Plesk for a good 10 years now), and we have a lot of customers using IMAP and nobody has every contacted us about certificate errors ** so far :) **.

    *** Test with a self-signed certificate before you purchase a real one, just to make sure everything works in the way you (and I) expect ***

    Faris.
     
  5. mconstable

    mconstable New Pleskian

    13
    60%
    Joined:
    Mar 21, 2012
    Messages:
    22
    Likes Received:
    0
    It is possible to get courier-imap to provide a different SSL certificate per domain. On Debian 6 it would be something like this assuming you have the original key and crt (figuring out which ones in /usr/local/psa/var/certificates/ is another story)...

    where xx.xx.xx.xx is the dedicated IP associated with yourdomain.com. You can check that the right certificate is being presented by using...

    It may even be possible to use SSL per domain with postfix using something like this in /etc/postfix/master.cf but I haven't got this to work yet, might need a later version of postfix perhaps (all on one line and Plesk may overwrite it)...

    Note the -o smtp_helo_name=yourdomain.com, this actually works on outgoing mail and should be provided by Plesk because I have no idea how SPF hardfail can be used without that extra setting for virtual domains on virtual IPs otherwise the default $myhostname from /etc/postfix/main.cf will be presented.

    If anyone has got this to work with postfix or has any suggestions then please post!
     
  6. zconsulting

    zconsulting Basic Pleskian

    9
     
    Joined:
    Mar 11, 2013
    Messages:
    25
    Likes Received:
    0
    @mconstable:
    have you figured out how to get Postfix to use a different certificate for each IP?
    Thank you!
     
  7. mconstable

    mconstable New Pleskian

    13
    60%
    Joined:
    Mar 21, 2012
    Messages:
    22
    Likes Received:
    0
    @zconsulting: I gave up on Plesk long ago so no I never got a chance to test this for real but the above snippet includes -o smtp_bind_address=xx.xx.xx.xx so I presume that with the other settings would deliver a unique certificate per IP. HTH.
     
  8. zconsulting

    zconsulting Basic Pleskian

    9
     
    Joined:
    Mar 11, 2013
    Messages:
    25
    Likes Received:
    0
    ok, i figured it out (thanks in large part to mconstable, and to this site).

    Here is how you bind a different security certificate to each IP.

    for POP/IMAP, all you have to do, as mconstable said, is add the certificates in the following format (where xx.xx.xx.xx is the IP address):
    Note: for me, using Plesk 11.5 on Centos 6, the above path is simply /usr/share/ (not /usr/share/courier-imap/)

    Now, for postfix, here is what i did:
    Again, using Plesk 11.5 on Centos 6, the end of the master.conf file (found in /etc/postfix/ directory) was as follows:

    This is most likely because i purchased the last 3 IPs after initial setup of the server.

    First, you need to create the certificate files; i just used the original .pem format. This means that is you have a .key file and a .cer file, you need to concat them into a .pem file, placing the key first. Then you place them in the /etc/postfix/ directory -- you can also create a new directory for your certificates, for example: /etc/postfix/ssl/
    Now, here is what it should look like to get a unique certificate on each IP.

     
    Last edited: May 28, 2014
  9. MrRay

    MrRay New Pleskian

    3
    70%
    Joined:
    Nov 26, 2014
    Messages:
    6
    Likes Received:
    0
    zconsulting,

    Do you have any suggestions on what the Postfix configuration file would look like in Plesk 12? I successfully bound each IP to a separate SSL certificate in Dovecot (for IMAP/POP3), but cannot seem to adopt your suggestions above for a Plesk 12 Postfix configuration file.

    Hoping you have some suggestions.

    Thanks
     
Loading...