• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please be aware: Kaspersky Anti-Virus has been deprecated and is no longer available for installation on the current Plesk release (18.0.63).
    Starting from Plesk Obsidian 18.0.64, the extension will be automatically removed from the servers it is installed on. For details and recommended actions, see the Feature and Deprecation Plan and the deprecation FAQ.

Resolved PLESK 18.0.60 Problems to configure mails / Certificates, etc.

P

paddaone1

New Pleskian
Server operating system version
Debian 11
Plesk version and microupdate number
18.0.60
Hello Everyone,
I have been hosting for a few years a PLESK Obsidian server on Debian 11.0 on which there are a few domains for friends and family.
Each domain has its own mail system activated and a few email addresses.
The server name is "serveur001.domain.com" and has a fixed public address (185.156.x.x).
Each hosted domain shares this public address.
Most domains DNSs are managed with cloudflare and name servers are identified as cloudflare's.
For DNS records :
toto.com MX mail.toto.com
mail A 185.156.x.x
The certificate for the server is the one provided by cloudflare but each hosted domain uses a Let's encrypt free certificate.
In the mail setup of each domain, the let's encrypt certificate is selected to protect the mail system of this domain.
That's where the problem is.
Impossible to setup a thunderbird mail client. Everytime Tbird says that the certificate is not valid.
Setup in Tbird is as follows :
IMAP
Server : mail.toto.com
Port 993
SSL/TLS
Use identifiers (login - full email address and passwrd)

Everytime Thunderbird tries to connect to the server and comes back as certificate for mail.toto.com is not valid for this server. Someone could use the identity of this server blablabla.
I tried changing the mail.toto to toto.com, change to STARTTLS, no dice.
It only works when I check the "no security" and then it connects.
What can I do to improve security of the email client and use SSL/TLS in Thunderbird?
Thank you for your help!
 
The mail. prefix/subdomain isn't secured with a certificate. Only the the second level domain is (the main domain, eg: example.com) is secured with an certificate for mail connections. However since your using Cloudflare and probably enabled proxying (if I am understand you correctly), connecting to the domain name itself won't work.

Instead you can try to use the server hostname (serveur001.domain.com) as the host for mail connections. Or did you setup an cloudflare certificate for the server hostname? If that's the case you could consider adding separate domain in Plesk which you use for mail connections (smtp, pop, imap). Not proxying that domain with Cloudflare.
 
Kaspar said:
The mail. prefix/subdomain isn't secured with a certificate. Only the the second level domain is (the main domain, eg: example.com) is secured with an certificate for mail connections. However since your using Cloudflare and probably enabled proxying (if I am understand you correctly), connecting to the domain name itself won't work.

Instead you can try to use the server hostname (serveur001.domain.com) as the host for mail connections. Or did you setup an cloudflare certificate for the server hostname? If that's the case you could consider adding separate domain in Plesk which you use for mail connections (smtp, pop, imap). Not proxying that domain with Cloudflare.
Click to expand...
Thank you for your helpful answer.
None of the email dns records are proxied as shown in attached image. I think that, as you suggested I'll try and create records for imap and smtp in plesk and cloudflare, not proxied and attach a certificate to it.
I'll be back :)
 

Attachments

  • DNS.png
    DNS.png
    219.3 KB · Views: 4
I think you might have understood me wrong. The mail.<youdomain> domain does not get secured by Plesk. Instead you have to use the domain itself (eg. example.com) for mail connections. But that domain is proxies (according to your screenshot), so it cannot be used for mail connections.

The alternative is the use the server hostname (serveur001.domain.com) as the mail host in Thunderbird for mail connections.
 
Kaspar said:
I think you might have understood me wrong. The mail.<youdomain> domain does not get secured by Plesk. Instead you have to use the domain itself (eg. example.com) for mail connections. But that domain is proxies (according to your screenshot), so it cannot be used for mail connections.

The alternative is the use the server hostname (serveur001.domain.com) as the mail host in Thunderbird for mail connections.
Click to expand...
Hello again!
I am sorry but I tried and... Doesn't work!
I created imap.domain.com
Created a let's encrypt certificate for it
Pointed MX to imap.domain.com in cloudflare, and plesk
In plesk, attached the new certificate to mail system (not webmail covered by cloudflare)
When changing setup in Tbird (imap server is imap.domain.com port 993), Tbird says certificate not valid
Certifcate in Tbird says it's a lets encrypt by DNS names are the root such as www.domain.com, domain.com and webmail.domain.com (WHY???)
I have attached the different steps as screen captures.
What am I missing or not understand?
 

Attachments

  • 1 - In Plesk DNS not good.png
    1 - In Plesk DNS not good.png
    74.6 KB · Views: 7
  • 2 - Cloudflare Name Servers.png
    2 - Cloudflare Name Servers.png
    182.1 KB · Views: 8
  • 3 - Mail settings in Plesk.png
    3 - Mail settings in Plesk.png
    148.8 KB · Views: 7
  • 4 - Config given by Plesk.png
    4 - Config given by Plesk.png
    159 KB · Views: 6
  • 5 - Config in Cloudflare.png
    5 - Config in Cloudflare.png
    203.8 KB · Views: 6
  • 6 - Plesk selection of certificate.png
    6 - Plesk selection of certificate.png
    101.5 KB · Views: 9
  • 7 - Tbird will not take it.jpg
    7 - Tbird will not take it.jpg
    105.2 KB · Views: 7
  • 8 - Why root.jpg
    8 - Why root.jpg
    87.7 KB · Views: 6
I highly recommend using the server hostname (serveur114.domain.com) as the mail host in Thunderbird for your mail connections. As that is the easiest solution, without any need to change any settings in Plesk.

However, if you really like to use imap.domain.com instead, that's possible too. In order for that to work, you only have to add imap.domain.com as a separate subscription (hosted domain) in Plesk. Not as an sub domain of domain.com. Secondly the Let's encrypt certificate for imap.domain.com has to include IMAP, POP, SMTP. That's all. No need to change MX records or any SSL settings for the primary domain.
 
Last edited:
Thank you all for your answers. It works now even though I don't understand why...
I changed the imap and smto to serveur001.domain.com but it did not work.
For some reason I changed the default certificate to the let's encrypt one and now it works fine. Even though the certificate that has *.domain.com and domain.com is provided and setup by/in cloudflare, not let's encrypt.
Now imap and smtp are serveur001.domain.com and no problem.
Thank you again!!!
 
paddaone1 said:
For some reason I changed the default certificate to the let's encrypt one and now it works fine. Even though the certificate that has *.domain.com and domain.com is provided and setup by/in cloudflare, not let's encrypt.
Now imap and smtp are serveur001.domain.com and no problem.
Thank you again!!!
Click to expand...
As long as the A/AAAA records for serveur001.domain.com do not point to cloudflare, that is not a problem.
You can use the same certificate on different servers. You can also use different certificates as long as the issuer is not forbidden via CAA record in DNS.
You can even use different certificates for the same service, but then some clients will complain because that looks like a MitM attack.
 
You must log in or register to reply here.

Similar threads

R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
524
tessa67
T
futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
909
futureweb
futureweb
S
Question Mail subdomains with wrong TLS certificate (e.g. imap.example.tld)
Replies
1
Views
476
Kaspar
K
W
Issue Problems with changing Domain IP address.
Replies
0
Views
584
wyga
W
carlsson
Issue Can't issue SSL certificate!? Help!
Replies
5
Views
735
Peter Debik
P
Back
Top