Issue Plesk Mail Only SSL Still Not Functioning Properly

[Ladylinux]

Server operating system version

Debian 11

Plesk version and microupdate number

18.0.68 #2

Hi,

This is maddening to say the least.

With a "New" mail only domain and the latest SSL It! (Version 1.16.4-5304) Lets Encrypt (3.2.9-4791 (14 January 2025)) extensions one can not secure properly a clients mail server.

SSL binds webmail.customerdomain.tld Cert to mail.customerdomain.tld mail services unless you deselect "secure webmail" when issuing a ssl certificate

If you do this deselect webmail is no longer ssl protected but mail.customerdomain.tld mail services now have the right certificate

This is not what should happen right ??

Thanks,

LadyLinux

 

[Ladylinux]

Hi,

So no one else sees this ??

I think it is significant enough but maybe its not

LadyLinux

 

[alvarezcruz]

Just reproduced it on my end. It does assign webmail to the mail service, so it doesn't match the MX record. I'll see if we can forward it to the dev team.

 

[Ladylinux]

Just reproduced it on my end. It does assign webmail to the mail service, so it doesn't match the MX record. I'll see if we can forward it to the dev team.

Any further on this issue ??

Thanks!!

LadyLinux

 

[Sebahat.hadzhi]

Hello, @Ladylinux . Apologies for not following up on this matter earlier. After further review and evaluation, our team decided that the behavior does not classify as a bug and therefore, will not be reworked, at the time being. The certificate contains both names - webmail.example.com and mail.example.com - as Subject Alternative Names and it works for all required services. The domain name for the certificate name is taken from the certificate's Common Name and it's not possible to put all the included SANs into the certificate name.

 

[Ladylinux]

Hello, @Ladylinux . Apologies for not following up on this matter earlier. After further review and evaluation, our team decided that the behavior does not classify as a bug and therefore, will not be reworked, at the time being. The certificate contains both names - webmail.example.com and mail.example.com - as Subject Alternative Names and it works for all required services. The domain name for the certificate name is taken from the certificate's Common Name and it's not possible to put all the included SANs into the certificate name.

Hi,

Thanks

I think what threw my users off was that the URL https://mail.domain.tld has the default server cert assigned and that throws my users off who expect that to have a valid cert. That made me dig deeper. I saw webmail.domain.tld assigned to mail services when running command line tools and missed the alternate names. IMHO it should be mail.domain.tld as the primary and webmail.domain.tld as alternate. Since most debugging of mail services (Well in my case) is done using mail.domain.tld

It does appear however that it works for mail clients.

FYI

This article

https://support.plesk.com/hc/en-us/articles/12377663714711-How-to-verify-that-SSL-for-IMAP-POP3-SMTP-works-and-a-proper-SSL-certificate-is-in-use

Note you expect mail.domain.tld to be returned but you only get webmail.domain.tld returned. Thus adding to the confusion when debugging.

Thanks!!

LadyLinux

 

[Ladylinux]

FYI

Appending this to those commands verify's alternate names

2>/dev/null | openssl x509 -noout -ext subjectAltName

Like so

openssl s_client -starttls smtp -showcerts -connect mail.domain.tld:25 -servername mail.domain.tld 2>/dev/null | openssl x509 -noout -ext subjectAltName

LadyLinux