Issue Mails only possible with a wildcard certificate

[Polli]

Server operating system version

Debian 12.9

Plesk version and microupdate number

18.0.67#3

I have made a server move. This has worked so far. My server is running as a hidden primary DNS which was set up without any problems.
Plesk is set up with one of my domains as FQDN. However, this only runs with a wildcard certificate although all entries seem to be set correctly.
One of my domains at my registrar is: leagues-united.de
Plesk has the hostname/ FQDN: mail.leagues-united.de
I have created a subdomain (mail.leagues-united.de) for Plesk and merged it with the certificate of the main domain (leagues-united.de). I selected the domain certificate in the SSL/TLS settings. However, without a wildcard, I can only access the Plesk panel via the IP. So now I have a wildcard certificate. However, I do not want to use this because the hidden primary setup does not forward these entries to the registrar quickly enough when the certificate is renewed and the certificate update fails.
Also, I have a problem with the mail server. The server still has its default settings for Postfix and Dovecot. No mail service is possible with a normal certificate. The following error message appears:

dovecot [1227447]
imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 1 secs): user=<>, rip=176.4.176.83, lip=85.25.46.232, TLS handshaking: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42, session=<bPU4Bn4v6b6wBLBT>

I can send and receive mails with a wildcard certificate. But that's not what I want. What can I do so that the configuration is correct and a wildcard certificate is not necessary on all domains and hostname?

When I test my domains, I get the following results. This is currently with wildcard certificates.



Thanks for your help

 

[Kaspar]

I am not sure if I understand what you're trying to achieve exactly. Can explain what your precise goal is here?

 

[learning_curve]

~~~
I can send and receive mails with a wildcard certificate. But that's not what I want. What can I do so that the configuration is correct and a wildcard certificate is not necessary on all domains and hostname?
~~~

The content of the initial post is a bit confusing to read (phrasing etc) but this ^^ part of it, seems relatively clear enough, so some comments / question below

A) Depending on the test criteria applied, there's no MTA-STS / DNSSEC / DANE been applied yet to the Plesk hostname/ FQDN: mail.leagues-united.de
(or the FQDN domain: leagues-united.de). Go to //email/testTo: and add these parameters (and / or many others too) that are available under the "other options" section, then run the test. You can also go to dnscheck.tools - check your dns resolvers too, but only from a browser that's running on your chosen Plesk hostname/ FQDN (not a local / remote device etc). Neither of these however, are the answer to the above question.

B) There seems to be nothing wrong with the main DNS data, including the PTR to that chosen Plesk hostname/ FQDN but there appears to not yet be a DNS record, when tested on Network Tools: DNS,IP,Email when using the MX Lookup section. Plus there's several different 'issues' when that same Plesk hostname/ FQDN is tested here: Test for modern Internet Standards like IPv6, DNSSEC, HTTPS, DMARC, STARTTLS and DANE. on both the 'website' and the 'mail' tests, but again, none of these are the answer to the above question.

C) It's not clear at this stage (from the initial post) as to what specific options you've already enabled via the Plesk Panel GUI (or maybe via CLI) e.g.
On here: https:// ** mail.leagues-united.de** :8443/cp/server/mail/settings which includes 'ougoing mail mode' options (relevant to header content / function)
Plus here too: https:// ** mail.leagues-united.de** :8443/admin/ssl-certificate/list e.g. Plesk / Mail / Default etc
A wildcard SSL certificate will normally always be required, if, your chosen Plesk hostname is a sub-domain, of one of your own hosted FQDN domains.

IF your actual requirement IS; To send e-mails, using the Plesk hostname/ FQDN: mail.leagues-united.de as your mail server BUT you do NOT want the name of that sub-domain to appear anywhere in the header at all... then you would normally (but not mandatory) resolve all of the above first, then re-examine the specific requirement again - in detail.

FWIW We have added several header content related files within /etc/postfix/ to suit our own chosen mail config (which is what you may also choose to do eventually) but, we're more than happy with the chosen sub-domain(s) of any if the hosted FQDN domain(s), being the mail servers that are identified within any of the hosted domains' e-mails. They are all covered by Wildcard, Multi-Domain SAN SSL Certificates, so PTR and/or SSL Checks plus many other checks all become far easier once all of this is configured correctly.

 

[Polli]

I am not sure if I understand what you're trying to achieve exactly. Can explain what your precise goal is here?

Sorry for confusing you. English is not my native language.

I moved my server to another one. I made a migration from Plesk to Plesk. I set every config the same as on my old server. But I get issues with the certificate.
I then removed MTA-STS, DNSSEC and DANE to find out if this was the problem, but that was not the case. Only websites running fine. But I had to add wildcard to my certificates to get mails running. Without the wildcard my mail clients say that the certificate is invalid. On my old server I did not need to set wildcards for my certificate. Everythings was running fine, except some small issues with DANE. But this I will solve later.

My question is, how I need to set up my server that I do not need wildcards for my certificates? Something must be wrong.

old server: FQDN (hostname/ Plesk Panel): mail.leagues-united.de - was running without a wildcard
new server: FQDN (hostname/ Plesk Panel): mail.leagues-united.de - needs a wildcard to work (why?)

old server: DOMAIN: mail.vlowee-vanlife.de -> MX = mail.vlowee-vanlife.de -> certificate = mail.vlowee-vanlife.de
new server: DOMAIN: mail.vlowee-vanlife.de -> MX = mail.vlowee-vanlife.de -> certificate = mail.leagues-united.de (this is wrong and I dont now where this comes from and why)

Hope this makes it a bit more clear.

 

[Kaspar]

Sorry for confusing you. English is not my native language.

English is not my native language either, so I am sure the confusion is partly on my side

This does clears things up, thank you. Just one more question, just to be sure:

old server: DOMAIN: mail.vlowee-vanlife.de -> MX = mail.vlowee-vanlife.de -> certificate = mail.vlowee-vanlife.de

Does the domain mail.vlowee-vanlife.de actually exist in Plesk? Or does only use the primary domain vlowee-vanlife.de exist?

 

[Polli]

English is not my native language either, so I am sure the confusion is partly on my side

This does clears things up, thank you. Just one more question, just to be sure:

Does the domain mail.vlowee-vanlife.de actually exist in Plesk? Or does only use the primary domain vlowee-vanlife.de exist?

mail.vlowee-vanlife.de is just an A record and the MX entry at my primary domain. The primary domain is vlowee-vanlife.de. I wrote this just to make clear that there might be a misconfiguration. I just get around this issue with a wildcard, wich I don't want.
There are a lot more domains on my server which have all the same issue. This was not the case on my old server.