Issue Plesk Mail Only SSL Still Not Functioning Properly

Ladylinux · Mar 31, 2025

Hi,

This is maddening to say the least.

With a "New" mail only domain and the latest SSL It! (Version 1.16.4-5304) Lets Encrypt (3.2.9-4791 (14 January 2025)) extensions one can not secure properly a clients mail server.

SSL binds webmail.customerdomain.tld Cert to mail.customerdomain.tld mail services unless you deselect "secure webmail" when issuing a ssl certificate

If you do this deselect webmail is no longer ssl protected but mail.customerdomain.tld mail services now have the right certificate

This is not what should happen right ??

Thanks,

LadyLinux

Ladylinux · Apr 16, 2025

Hi,

So no one else sees this ??

I think it is significant enough but maybe its not

LadyLinux

alvarezcruz · Apr 16, 2025

Just reproduced it on my end. It does assign webmail to the mail service, so it doesn't match the MX record. I'll see if we can forward it to the dev team.

Ladylinux · 2025-06-17T07:28:08-0700

alvarezcruz said:
Just reproduced it on my end. It does assign webmail to the mail service, so it doesn't match the MX record. I'll see if we can forward it to the dev team.

Any further on this issue ??

Thanks!!

LadyLinux

Sebahat.hadzhi · 2025-06-18T01:06:43-0700

Hello, @Ladylinux . Apologies for not following up on this matter earlier. After further review and evaluation, our team decided that the behavior does not classify as a bug and therefore, will not be reworked, at the time being. The certificate contains both names - webmail.example.com and mail.example.com - as Subject Alternative Names and it works for all required services. The domain name for the certificate name is taken from the certificate's Common Name and it's not possible to put all the included SANs into the certificate name.

Ladylinux · 2025-06-18T06:02:07-0700

Sebahat.hadzhi said:
Hello, @Ladylinux . Apologies for not following up on this matter earlier. After further review and evaluation, our team decided that the behavior does not classify as a bug and therefore, will not be reworked, at the time being. The certificate contains both names - webmail.example.com and mail.example.com - as Subject Alternative Names and it works for all required services. The domain name for the certificate name is taken from the certificate's Common Name and it's not possible to put all the included SANs into the certificate name.

Hi,

Thanks

I think what threw my users off was that the URL https://mail.domain.tld has the default server cert assigned and that throws my users off who expect that to have a valid cert. That made me dig deeper. I saw webmail.domain.tld assigned to mail services when running command line tools and missed the alternate names. IMHO it should be mail.domain.tld as the primary and webmail.domain.tld as alternate. Since most debugging of mail services (Well in my case) is done using mail.domain.tld

It does appear however that it works for mail clients.

FYI

This article

https://support.plesk.com/hc/en-us/articles/12377663714711-How-to-verify-that-SSL-for-IMAP-POP3-SMTP-works-and-a-proper-SSL-certificate-is-in-use

Note you expect mail.domain.tld to be returned but you only get webmail.domain.tld returned. Thus adding to the confusion when debugging.

Thanks!!

LadyLinux

Ladylinux · 2025-06-18T06:11:07-0700

FYI

Appending this to those commands verify's alternate names

2>/dev/null | openssl x509 -noout -ext subjectAltName

Like so

openssl s_client -starttls smtp -showcerts -connect mail.domain.tld:25 -servername mail.domain.tld 2>/dev/null | openssl x509 -noout -ext subjectAltName

LadyLinux

Issue Plesk Mail Only SSL Still Not Functioning Properly

Ladylinux

Basic Pleskian

Ladylinux

Basic Pleskian

alvarezcruz

Lead Engineer

Ladylinux

Basic Pleskian

Sebahat.hadzhi

Community Manager

Ladylinux

Basic Pleskian

Ladylinux

Basic Pleskian

Similar threads