Resolved PLESK 18.0.60 Problems to configure mails / Certificates, etc.

[paddaone1]

Server operating system version

Debian 11

Plesk version and microupdate number

18.0.60

Hello Everyone,
I have been hosting for a few years a PLESK Obsidian server on Debian 11.0 on which there are a few domains for friends and family.
Each domain has its own mail system activated and a few email addresses.
The server name is "serveur001.domain.com" and has a fixed public address (185.156.x.x).
Each hosted domain shares this public address.
Most domains DNSs are managed with cloudflare and name servers are identified as cloudflare's.
For DNS records :
toto.com MX mail.toto.com
mail A 185.156.x.x
The certificate for the server is the one provided by cloudflare but each hosted domain uses a Let's encrypt free certificate.
In the mail setup of each domain, the let's encrypt certificate is selected to protect the mail system of this domain.
That's where the problem is.
Impossible to setup a thunderbird mail client. Everytime Tbird says that the certificate is not valid.
Setup in Tbird is as follows :
IMAP
Server : mail.toto.com
Port 993
SSL/TLS
Use identifiers (login - full email address and passwrd)

Everytime Thunderbird tries to connect to the server and comes back as certificate for mail.toto.com is not valid for this server. Someone could use the identity of this server blablabla.
I tried changing the mail.toto to toto.com, change to STARTTLS, no dice.
It only works when I check the "no security" and then it connects.
What can I do to improve security of the email client and use SSL/TLS in Thunderbird?
Thank you for your help!

 

[Kaspar]

The mail. prefix/subdomain isn't secured with a certificate. Only the the second level domain is (the main domain, eg: example.com) is secured with an certificate for mail connections. However since your using Cloudflare and probably enabled proxying (if I am understand you correctly), connecting to the domain name itself won't work.

Instead you can try to use the server hostname (serveur001.domain.com) as the host for mail connections. Or did you setup an cloudflare certificate for the server hostname? If that's the case you could consider adding separate domain in Plesk which you use for mail connections (smtp, pop, imap). Not proxying that domain with Cloudflare.

 

[paddaone1]

The mail. prefix/subdomain isn't secured with a certificate. Only the the second level domain is (the main domain, eg: example.com) is secured with an certificate for mail connections. However since your using Cloudflare and probably enabled proxying (if I am understand you correctly), connecting to the domain name itself won't work.

Instead you can try to use the server hostname (serveur001.domain.com) as the host for mail connections. Or did you setup an cloudflare certificate for the server hostname? If that's the case you could consider adding separate domain in Plesk which you use for mail connections (smtp, pop, imap). Not proxying that domain with Cloudflare.

Thank you for your helpful answer.
None of the email dns records are proxied as shown in attached image. I think that, as you suggested I'll try and create records for imap and smtp in plesk and cloudflare, not proxied and attach a certificate to it.
I'll be back

 

[Kaspar]

I think you might have understood me wrong. The mail.<youdomain> domain does not get secured by Plesk. Instead you have to use the domain itself (eg. example.com) for mail connections. But that domain is proxies (according to your screenshot), so it cannot be used for mail connections.

The alternative is the use the server hostname (serveur001.domain.com) as the mail host in Thunderbird for mail connections.

 

[paddaone1]

I think you might have understood me wrong. The mail.<youdomain> domain does not get secured by Plesk. Instead you have to use the domain itself (eg. example.com) for mail connections. But that domain is proxies (according to your screenshot), so it cannot be used for mail connections.

The alternative is the use the server hostname (serveur001.domain.com) as the mail host in Thunderbird for mail connections.

Hello again!
I am sorry but I tried and... Doesn't work!
I created imap.domain.com
Created a let's encrypt certificate for it
Pointed MX to imap.domain.com in cloudflare, and plesk
In plesk, attached the new certificate to mail system (not webmail covered by cloudflare)
When changing setup in Tbird (imap server is imap.domain.com port 993), Tbird says certificate not valid
Certifcate in Tbird says it's a lets encrypt by DNS names are the root such as www.domain.com, domain.com and webmail.domain.com (WHY???)
I have attached the different steps as screen captures.
What am I missing or not understand?

 

[Kaspar]

I highly recommend using the server hostname (serveur114.domain.com) as the mail host in Thunderbird for your mail connections. As that is the easiest solution, without any need to change any settings in Plesk.

However, if you really like to use imap.domain.com instead, that's possible too. In order for that to work, you only have to add imap.domain.com as a separate subscription (hosted domain) in Plesk. Not as an sub domain of domain.com. Secondly the Let's encrypt certificate for imap.domain.com has to include IMAP, POP, SMTP. That's all. No need to change MX records or any SSL settings for the primary domain.

 

[mow]

or you could just use webmail.domain.com for imap and smtp ...

 

[paddaone1]

Thank you all for your answers. It works now even though I don't understand why...
I changed the imap and smto to serveur001.domain.com but it did not work.
For some reason I changed the default certificate to the let's encrypt one and now it works fine. Even though the certificate that has *.domain.com and domain.com is provided and setup by/in cloudflare, not let's encrypt.
Now imap and smtp are serveur001.domain.com and no problem.
Thank you again!!!

 

[mow]

For some reason I changed the default certificate to the let's encrypt one and now it works fine. Even though the certificate that has *.domain.com and domain.com is provided and setup by/in cloudflare, not let's encrypt.
Now imap and smtp are serveur001.domain.com and no problem.
Thank you again!!!

As long as the A/AAAA records for serveur001.domain.com do not point to cloudflare, that is not a problem.
You can use the same certificate on different servers. You can also use different certificates as long as the issuer is not forbidden via CAA record in DNS.
You can even use different certificates for the same service, but then some clients will complain because that looks like a MitM attack.