Resolved Postfix gives wrong certificate

[pvdv]

Server operating system version

Ubuntu 20.04.5 LTS

Plesk version and microupdate number

18.0.52 Update #3

Hello!

Mail client gives error on certificate. And when I test with:
openssl s_client -connect domain.tld:465 | openssl x509 -text
then I see the certificate of the server, not the domain. And I did configure in Plesk to use the wildcard certificate of the domain.
Dovecot still gives the correct certificate on port 993.

Has anybody a tip how to get this correct?

With regards!

 

[Peter Debik]

What happened before this issue occured, e.g. was anything configured?

 

[pvdv]

Previously there were no complaints, and now only one person came with problems. The owner of the service asked me for help. And I don't know much about Plesk.

Many mailclients do not check for correct certificates, maybe some customers do not use SSL, others will use webmail, and some will not use the mail at all. So I am not sure...

Maybe it's possible to do something what reconfigures Postfix in the way it was originally configured? There where many corrections in the /etc/postfix directory by many people.

 

[Peter Debik]

The information provided is not sufficient to provide a solution. I think that when you write "mail client", you probably get a certificate mismatch warning. That is most likely due to users using a wrong servername, e.g. no the hostname for which a certificate exists, but something else like smtp.<their domainname>. Could you please find out the exact error message and post it here?

 

[pvdv]

Yes, there is a certificate mismatch because the name in the certificate is not correct. I can reproduce it.

I can see with the "openssl" command that I get a certificate with the name of the server in it. And I would expect the name of the virtual domain of the customer. Something like smtp.customerdomain.tld or mail.customerdomain.tld.
openssl s_client -connect customerdomain.tld:465 | openssl x509 -text

Realize this is my job for over 20 years, I know TLS certificates. But I don't know the way Plesk does virtual domain certificates in Postfix, and how to repair it when it's wrong...

 

[Peter Debik]

By default, users on Plesk need to uses the hostname as the outgoing and incoming mail server name. No prefixes such as mail., smtp., pop3., imap. etc. Just the plain, simple hostname. That is the same name that is used to login to Plesk, just without the :8443 port. For that hostname, an SSL certificate should exist. If not, it can easily be created in Tools & Settings > Security > SSL/TLS certificates with the "+ Let's Encrypt" button. You can also select the correct "Certificate for Securing Mail" there, if it is not yet selected. This is the certificate that works for the hostname only.

In the "Mail Settings" of each domain you can check the box "Enable mail autodiscover" so that users won't need to attempt fantasy names for the mail server, but will automatically receive the correct hostname in their mail software when they add a mailbox to their mail client.

O.k., you have users who want to use their own domain name instead of the easy solution. This can also be done, but it needs extra configuration work. If you add the SNI checkbox "Assign the certificate to the mail domain" when creating a Let's Encrypt certificate for a specific domain and afterwards select that certificate for the "SSL/TLS certificate for mail" checkbox in the "Mail Settings" of that domain, your users can use their own domain name with SSL/TLS instead of the hostname, too. That is because then an SSL certificate exists and is used for the mail server that matches a users's domain. But they will still not be able to add prefixes to that domain name, it will only work for the domain name itself.

 

[pvdv]

Maybe it is the default to use the hostname as SMTP server, but it is not normal for this provider. The users are using for many years their own domains.
And it is not practical if you want to transfer a domain to another server, then the users have to change the mailclients SMTP server.

But, I found it! The word "SNI" in your mail did it. I found on another plesk server this line in /etc/postfix/main.cf:
tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs
And that line was missing on this server. I've added it, restarted Postfix, and now it works ;-)

 

[pvdv]

But I wonder that "mail.domain.tld" and "domain.tld" give the correct certificate now, but for example "smtp.domain.tld" still gives the server certificate. I would like to know how this can be controlled. (All names are pointing to the same IP.)

 

[Peter Debik]

It cannot be controlled like that on the current layout. You have 1 mailserver name, and the most that can be done is to have this individualized for each domain. But you cannot in addition to it have subdomains an all these subdomains protected by an SSL certificate. There is a feature request for it Add "mail.example.com" (mail subdomain) in Subject Alternative Names when option "Assign the certificate to mail domain" is selected that you can vote for, but currently it only has a few votes. We'd also be interested in learning why it is important to add a subdomain to address the same IP. Why not simply use the domain name? It's the same host anyway.

 

[mow]

We'd also be interested in learning why it is important to add a subdomain to address the same IP. Why not simply use the domain name? It's the same host anyway.

Because MUAs default to using subdomains for well-known services.

 

[Bobbbb]

We'd also be interested in learning why it is important to add a subdomain to address the same IP. Why not simply use the domain name? It's the same host anyway.

1.) It helps to use the common subdomains (mail.example.com, smtp.example.com, etc.) when moving a domain's mail to/from one provider or server to/from another, without reconfiguring all the clients.
2.) It almost an unofficial standard due to common usage of the prefixes.
3.) Some MUAs default to common mail subdomains (mail.example.com) when guessing server names.

When possible (when the server controls DNS), I create a wildcard cert with SSLit/Let's Encrypt. I assign that wildcard cert for mail. Then mail.example.com works fine. I also adjust the mail section, in the panel.ini, to use the "mail." prefix...

[mail]
clientConfig.userName = <username>@<domain>
clientConfig.incomingServer = mail.<domain>
clientConfig.outgoingServer = mail.<domain>

However, it would be nice if SSLit would allow adding the "mail." prefix to the non-wildcard certs, similar to the way it adds the "www." and "webmail." prefix.

-Bob

 

[Peter Debik]

Thank you for these additional arguments. I have added a reference to them in an internal note to the Uservoice request. It will give the request more weight when it is evaluated what to add next.

 

[mow]

By the way, the SNI configuration is broken, resulting in postfix/smtpd[1611847]: TLS SNI server.com from client.de not matched, using default chain every time SNI is used.
It still works because the default chain is the one for server.com, verified with openssl s_client -connect server.com:465 -showcerts.
But it's just asking for trouble to do it that way. And it produces noise in the logs.

 

[AYamshanov]

By the way, the SNI configuration is broken [...]
[...] verified with openssl s_client -connect server.com:465 -showcerts
[...]

I think it is much better to discuss the topic with some real data to show details. If you do not want to use details about your servers, let's use my

Why do you not use the "-servername" option when checking SNI? In the example below, plesk.domain and mail.domain are different, but with the option, mail service uses correct certificate to protect a connection.

Expand/Collapse Block: openssl s_client -servername mail.plsktech.com -connect panel.plesk.website:465

% openssl s_client -servername mail.plsktech.com -connect panel.plesk.website:465          
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = plsktech.com
verify return:1
write W BLOCK
---
Certificate chain
 0 s:/CN=plsktech.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[...lots of symbols...]
-----END CERTIFICATE-----
subject=/CN=plsktech.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 5050 bytes and written 377 bytes
---
New, TLSv1/SSLv3, Cipher is AEAD-CHACHA20-POLY1305-SHA256
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : AEAD-CHACHA20-POLY1305-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1691520789
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
read R BLOCK
220 panel.plesk.website ESMTP Postfix (Ubuntu)

If I change "mail.plsktech.com" to something else, e.g. "mail2.plsktech.com", I will receive default self-signed ceritificate,

Expand/Collapse Block: openssl s_client -servername mail2.plsktech.com -connect panel.plesk.website:465

[...]
Server certificate
-----BEGIN CERTIFICATE-----
[...lots of symbols again...]
-----END CERTIFICATE-----
subject=/C=CH/L=Schaffhausen/O=Plesk/CN=Plesk/[email protected]
issuer=/C=CH/L=Schaffhausen/O=Plesk/CN=Plesk/[email protected]
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 1434 bytes and written 378 bytes
---
New, TLSv1/SSLv3, Cipher is AEAD-CHACHA20-POLY1305-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : AEAD-CHACHA20-POLY1305-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1691521338
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
read R BLOCK
220 panel.plesk.website ESMTP Postfix (Ubuntu)

 

[mow]

I think it is much better to discuss the topic with some real data to show details. If you do not want to use details about your servers, let's use my

Why do you not use the "-servername" option when checking SNI?

Because it's not necessary when it's the same name. In the maillog I find the mentioned complaint about SNI, so that means SNI was used, right?

In the example below, plesk.domain and mail.domain are different, but with the option, mail service uses correct certificate to protect a connection.

Have you looked into the maillog? Should there be no message like above, I guess plesk only configures SNI for domains that differ from the default certificate?

 

[AYamshanov]

Because it's not necessary when it's the same name.

Ah, yes, I agree!

---

Have you looked into the maillog? Should there be no message like above, I guess plesk only configures SNI for domains that differ from the default certificate?

No, but let's try one more time

1) An attempt with "openssl s_client -servername mail.plsktech.com -connect panel.plesk.website:465", log records:

Aug 9 06:34:27 panel postfix/smtpd[4027594]: connect from 192-0-2-1.example.org[192.0.2.1]
Aug 9 06:34:28 panel postfix/smtpd[4027594]: lost connection after CONNECT from 192-0-2-1.example.org[192.0.2.1]
Aug 9 06:34:28 panel postfix/smtpd[4027594]: disconnect from 192-0-2-1.example.org[192.0.2.1] commands=0/0

2) An attempt with "openssl s_client -servername mail2.plsktech.com -connect panel.plesk.website:465", log records:

Aug 9 06:41:15 panel postfix/smtpd[4029390]: connect from 192-0-2-1.example.org[192.0.2.1]
Aug 9 06:41:15 panel postfix/smtpd[4029390]: TLS SNI mail2.plsktech.com from 192-0-2-1.example.org[192.0.2.1] not matched, using default chain
Aug 9 06:41:16 panel postfix/smtpd[4029390]: lost connection after CONNECT from 192-0-2-1.example.org[192.0.2.1]
Aug 9 06:41:16 panel postfix/smtpd[4029390]: disconnect from 192-0-2-1.example.org[192.0.2.1] commands=0/0

3) An attempt with "openssl s_client -connect panel.plesk.website:465" (without "-servername"), log records:

Aug 9 06:42:13 panel postfix/smtpd[4029390]: connect from 192-0-2-1.example.org[192.0.2.1]
Aug 9 06:42:15 panel postfix/smtpd[4029390]: lost connection after CONNECT from 192-0-2-1.example.org[192.0.2.1]
Aug 9 06:42:15 panel postfix/smtpd[4029390]: disconnect from 192-0-2-1.example.org[192.0.2.1] commands=0/0

----

I see a warning only in the case when I really use the wrong domain with the "servername" option. In the first attempt, I see valid and expected certificate. In 2) and 3) cases I see self-signed certificate that on my server is configured as "default" for mail service, but this is also expected.

I would suggest to fill a form https://talk.plesk.com/form/1/select If you have more specific Steps-To-Reproduce (STR) to show that correct configuring SNI in some case is broken. Or contact Plesk Support to investigate the issue on the server with the issue.