Issue plesk postfix TLS SNI smtp.mydomain.de from unknown [..] not matched, using default chain

[PeterKi]

My system log always lists the above errors.
I am running Ubuntu 16.04.6 LTS with Plesk Obsidian Version 18.0.23 Update #2 with 2 domains and lets encrypt certificates.
I followed the guide at How to secure a Plesk mail server with different SSL certificates (SNI support)
If I run the given scriptlet on mydomains
echo 'Q' | openssl s_client -connect localhost:465 -servername mydomain -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq
I get the expected results
CN=mydomain.de
CN=Let's Encrypt Authority X3
CN=DST Root CA X3
What can I do do to get rid of these errors?

 

[Jllynch]

We are getting the same issue on
CentOS Linux 7.9.2009 (Core)
Plesk Obsidian Version 18.0.34 Update #2

We are only doing the email for the domain so can't get a letsencrypt cert to install.
Under the email settings
SSL/TLS certificate for mail says "not selected"
And there is nothing to be selected in the drop down.

 

[IgorG]

Looks like Postfix uses the default SNI chain since no SNI configuration exists for smtp.mydomain.de
Check it with:

# postmap -s /var/spool/postfix/plesk/certs | awk '{print $1}' | grep mydomain.de

As a possible workaround try to Change the MX record for mydomain.de to mail.mydomain.de or mydomain.de:

# dig MX mydomain.de +short
10 mail.mydomain.de.
5 mydomain.de.

 

[Bitpalast]

@Jllynch In your setup, the "error" message is the expected behavior and correct. There is no issue, it is simply a statement that no SNI configuration is present for smtp.yourdomain.tld. It's not harmful to the traffic.

For the original poster the same is true, because in his certificate he has not secured "smtp.domain.tld", but "domain.tld", so there is no matching cert for the wrong SMTP server name that he was using. The log message is merely a warning, but mail still works even if there is no match for the certificate.

 

[Jllynch]

@Jllynch In your setup, the "error" message is the expected behavior and correct. There is no issue, it is simply a statement that no SNI configuration is present for smtp.yourdomain.tld. It's not harmful to the traffic.

For the original poster the same is true, because in his certificate he has not secured "smtp.domain.tld", but "domain.tld", so there is no matching cert for the wrong SMTP server name that he was using. The log message is merely a warning, but mail still works even if there is no match for the certificate.

Is there a way to issue a Let'sEncrypt cert when the hosting and DNS is elsewhere for a domain? It can't just put a file in the root of their web for authentication...

 

[Bitpalast]

Domain validated certificates are called domain validated, because they require to have a domain (with disk space) for their validation. If the web space is not hosted on the system, the Let's Encrypt token file cannot be written or read, hence the certificate cannot be issued for the server.