Facebook
Twitter
burnley
Regular Pleskian
User name: burnley
TITLE
Obsidian on CentOS 7: Plesk generates broken Dovecot configuration if client tries to secure email with invalid ssl certificate
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
18.0.23 CentOS 7 1800200130.12
PROBLEM DESCRIPTION
We had a client today fiddling with the SSL/TLS Certificates feature and they ended up with an entry that contain the CSR and key components. No certificate and no CA certificate. However that didn't prevent the client to [ab]use "Secure Email" option, which generated this type of configuration in /etc/dovecot/conf.d/14-plesk-sni-mail.domain.com.au.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
local_name mail.domain.com.au {
ssl_cert = </usr/local/psa/var/certificates/
ssl_key = </usr/local/psa/var/certificates/
}
See the path, it's missing the filename and "systemctl status dovecot" was displaying:
Apr 02 15:47:51 plesk systemd[1]: Started Dovecot IMAP/POP3 email server.
Apr 02 15:47:51 plesk dovecot[25966]: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/14-plesk-sni-domain.com.au.conf line 7: ssl_cert: r...a directory
Apr 02 15:47:51 plesk systemd[1]: dovecot.service: main process exited, code=exited, status=89/n/a
Apr 02 15:47:52 plesk doveadm[25971]: Fatal: Dovecot is not running (read from /var/run/dovecot/master.pid)
It's a very serious issue, any client can break the IMAP/POP3 server if they don't quite know how to handle the SSL certificate in the panel. Plesk should do some validation here.
One more question: is there a switch we can use to disable "Secure Email" feature in Plesk? We don't need it, all our Plesk servers are behind mail proxies and the clients can't access the SMTP, POP3 and IMAP ports on the Plesk servers directly hence this feature is redundant for us.
STEPS TO REPRODUCE
ACTUAL RESULT
Plesk generates incomplete SSL bundle and allows the client to select it and click "Secure Mail", which breaks POP3/IMAP service server wide.
EXPECTED RESULT
Plesk implements some validation before allowing anyone to use a certificate for securing email & webmail.
ANY ADDITIONAL INFORMATION
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
TITLE
Obsidian on CentOS 7: Plesk generates broken Dovecot configuration if client tries to secure email with invalid ssl certificate
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
18.0.23 CentOS 7 1800200130.12
PROBLEM DESCRIPTION
We had a client today fiddling with the SSL/TLS Certificates feature and they ended up with an entry that contain the CSR and key components. No certificate and no CA certificate. However that didn't prevent the client to [ab]use "Secure Email" option, which generated this type of configuration in /etc/dovecot/conf.d/14-plesk-sni-mail.domain.com.au.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
local_name mail.domain.com.au {
ssl_cert = </usr/local/psa/var/certificates/
ssl_key = </usr/local/psa/var/certificates/
}
See the path, it's missing the filename and "systemctl status dovecot" was displaying:
Apr 02 15:47:51 plesk systemd[1]: Started Dovecot IMAP/POP3 email server.
Apr 02 15:47:51 plesk dovecot[25966]: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/14-plesk-sni-domain.com.au.conf line 7: ssl_cert: r...a directory
Apr 02 15:47:51 plesk systemd[1]: dovecot.service: main process exited, code=exited, status=89/n/a
Apr 02 15:47:52 plesk doveadm[25971]: Fatal: Dovecot is not running (read from /var/run/dovecot/master.pid)
It's a very serious issue, any client can break the IMAP/POP3 server if they don't quite know how to handle the SSL certificate in the panel. Plesk should do some validation here.
One more question: is there a switch we can use to disable "Secure Email" feature in Plesk? We don't need it, all our Plesk servers are behind mail proxies and the clients can't access the SMTP, POP3 and IMAP ports on the Plesk servers directly hence this feature is redundant for us.
STEPS TO REPRODUCE
- Log in as client in Plesk and select a domain with mail service enabled.
- Go to SSL/TLS Certificates -> Advanced Settings -> Add SSL/TLS Certificate and fill in the basic information. As "Certificate name" use "half_baked_bundle"
- Select "Request" option. *NOT* Self-signed! Plesk will create the half baked SSL bundle that's missing the certificate and CA components.
- Select the half_baked_bundle and click "Secure Mail". Dovecot configuration breaks at this point.
ACTUAL RESULT
Plesk generates incomplete SSL bundle and allows the client to select it and click "Secure Mail", which breaks POP3/IMAP service server wide.
EXPECTED RESULT
Plesk implements some validation before allowing anyone to use a certificate for securing email & webmail.
ANY ADDITIONAL INFORMATION
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
