• Dear Pleskians! The Plesk Forum will be undergoing scheduled maintenance on Monday, 7th of July, at 9:00 AM UTC. The expected maintenance window is 2 hours.
    Thank you in advance for your patience and understanding on the matter.

Issue Plesk Mail Only SSL Still Not Functioning Properly

Ladylinux

Basic Pleskian
Server operating system version
Debian 11
Plesk version and microupdate number
18.0.68 #2
Hi,

This is maddening to say the least.

With a "New" mail only domain and the latest SSL It! (Version 1.16.4-5304) Lets Encrypt (3.2.9-4791 (14 January 2025)) extensions one can not secure properly a clients mail server.

SSL binds webmail.customerdomain.tld Cert to mail.customerdomain.tld mail services unless you deselect "secure webmail" when issuing a ssl certificate

If you do this deselect webmail is no longer ssl protected but mail.customerdomain.tld mail services now have the right certificate

This is not what should happen right ??

Thanks,

LadyLinux
 
Just reproduced it on my end. It does assign webmail to the mail service, so it doesn't match the MX record. I'll see if we can forward it to the dev team.
 
Hello, @Ladylinux . Apologies for not following up on this matter earlier. After further review and evaluation, our team decided that the behavior does not classify as a bug and therefore, will not be reworked, at the time being. The certificate contains both names - webmail.example.com and mail.example.com - as Subject Alternative Names and it works for all required services. The domain name for the certificate name is taken from the certificate's Common Name and it's not possible to put all the included SANs into the certificate name.
 
Hello, @Ladylinux . Apologies for not following up on this matter earlier. After further review and evaluation, our team decided that the behavior does not classify as a bug and therefore, will not be reworked, at the time being. The certificate contains both names - webmail.example.com and mail.example.com - as Subject Alternative Names and it works for all required services. The domain name for the certificate name is taken from the certificate's Common Name and it's not possible to put all the included SANs into the certificate name.
Hi,

Thanks

I think what threw my users off was that the URL https://mail.domain.tld has the default server cert assigned and that throws my users off who expect that to have a valid cert. That made me dig deeper. I saw webmail.domain.tld assigned to mail services when running command line tools and missed the alternate names. IMHO it should be mail.domain.tld as the primary and webmail.domain.tld as alternate. Since most debugging of mail services (Well in my case) is done using mail.domain.tld

It does appear however that it works for mail clients.

FYI

This article


Note you expect mail.domain.tld to be returned but you only get webmail.domain.tld returned. Thus adding to the confusion when debugging.

Thanks!!

LadyLinux
 
FYI

Appending this to those commands verify's alternate names

2>/dev/null | openssl x509 -noout -ext subjectAltName

Like so

openssl s_client -starttls smtp -showcerts -connect mail.domain.tld:25 -servername mail.domain.tld 2>/dev/null | openssl x509 -noout -ext subjectAltName

LadyLinux
 
Back
Top