TimReeves
Regular Pleskian
This morning I could not send mail from some accounts, Thunderbird said the certificate has expired.
Problem: When selecting "SSL/TLS certificate for mail" in the mail settings of an individual domain,
the certificate for Postfix for that domain is stored by Plesk in /var/spool/postfix/plesk/certs.db
Sadly it is NOT (yet) updated by the SSL-It! or Lets Encrypt Extension:
FAQ for Plesk
If SNI for mail is supported now, how can I automate mail securing with the SSL It! or Let's Encrypt extensions?
Such automation is currently not supported. However you can issue a wildcard SSL/TLS certificate via SSL It! or Let's Encrypt and manually assign this certificate to mail using the "Mail Settings" tab in the subscription mail settings.
# postconf mail_version => mail_version = 3.4.5 This is the NEW one which supports SNI
o Show which certificate is currently being presented by Postfix
# echo 'Q' | openssl s_client -connect localhost:465 -servername {domain} -showcerts 2>&1
o Show a particular certificate stored in /var/spool/postfix/plesk/certs.db:
# postmap -s /var/spool/postfix/plesk/certs | grep '{domain}' | cut -d$'\t' -f2 | base64 -d
Quick and Dirty Fix: Change the Domain setting for "SSL/TLS certificate for mail" to "Not selected" and then back to the Lets Encrypt of the domain. This puts the current version of the Lets Encrypt certificate into /var/spool/postfix/plesk/certs.db - but note that there will still be no automatic updates, the procedure needs to be repeated manually every 2 months.
Dovecot: /etc/dovecot/conf.d/11-plesk-security-ssl.conf sets the default cert /etc/dovecot/private/dovecot.pem
Then any domains (and aliases) with an individual "SSL/TLS certificate for mail" get an own config file:
14-plesk-sni-{domain}.conf
Here the certificate is configured like this:
local_name {domain} {
ssl_cert = </opt/psa/var/certificates/scfXhbsvc
ssl_key = </opt/psa/var/certificates/scfXhbsvc
}
Original Lets Encrypt certificate parts linked
at /usr/local/psa/var/modules/letsencrypt/etc/live/{domain}
to /usr/local/psa/var/modules/letsencrypt/etc/archive/{domain}
The certificate at /opt/psa/var/certificates/scfXhbsvc is generated from the current parts.
So it looks like Dovecot will get the current certificate, problem is only with Postfix.
But what happens to Dovecot and Postfix when we deselect "SSL/TLS certificate for mail" on a domain?
They both default to the standard mail certificate as set in "Tools & Settings | SSL/TLS Certificates"
For me this is not an option for Dovecot, as I previously had an own solution based on acme.sh to provide SNI-based certificates. So all my users email client accounts are set up for IMAP to expect the correct domain and certificate )-:
What to do? I need the automatic update of /var/spool/postfix/plesk/certs.db asap! I'm sure many others will too, as the 3-month certificates from Lets Encrypt now start to expire.
Last idea: What about using a wildcard cert as noted in the FAQ?
A hassle to have to add a DNS record, but never mind, tried it.
o Dovecot works as expected, picks up the new wildcard cert in /opt/psa/var/certificates
o Postfix - hard to tell. The new wildcard cert has been put into /var/spool/postfix/plesk/certs.db - but will it be updated?
Problem: When selecting "SSL/TLS certificate for mail" in the mail settings of an individual domain,
the certificate for Postfix for that domain is stored by Plesk in /var/spool/postfix/plesk/certs.db
Sadly it is NOT (yet) updated by the SSL-It! or Lets Encrypt Extension:
FAQ for Plesk
If SNI for mail is supported now, how can I automate mail securing with the SSL It! or Let's Encrypt extensions?
Such automation is currently not supported. However you can issue a wildcard SSL/TLS certificate via SSL It! or Let's Encrypt and manually assign this certificate to mail using the "Mail Settings" tab in the subscription mail settings.
# postconf mail_version => mail_version = 3.4.5 This is the NEW one which supports SNI
o Show which certificate is currently being presented by Postfix
# echo 'Q' | openssl s_client -connect localhost:465 -servername {domain} -showcerts 2>&1
o Show a particular certificate stored in /var/spool/postfix/plesk/certs.db:
# postmap -s /var/spool/postfix/plesk/certs | grep '{domain}' | cut -d$'\t' -f2 | base64 -d
Quick and Dirty Fix: Change the Domain setting for "SSL/TLS certificate for mail" to "Not selected" and then back to the Lets Encrypt of the domain. This puts the current version of the Lets Encrypt certificate into /var/spool/postfix/plesk/certs.db - but note that there will still be no automatic updates, the procedure needs to be repeated manually every 2 months.
Dovecot: /etc/dovecot/conf.d/11-plesk-security-ssl.conf sets the default cert /etc/dovecot/private/dovecot.pem
Then any domains (and aliases) with an individual "SSL/TLS certificate for mail" get an own config file:
14-plesk-sni-{domain}.conf
Here the certificate is configured like this:
local_name {domain} {
ssl_cert = </opt/psa/var/certificates/scfXhbsvc
ssl_key = </opt/psa/var/certificates/scfXhbsvc
}
Original Lets Encrypt certificate parts linked
at /usr/local/psa/var/modules/letsencrypt/etc/live/{domain}
to /usr/local/psa/var/modules/letsencrypt/etc/archive/{domain}
The certificate at /opt/psa/var/certificates/scfXhbsvc is generated from the current parts.
So it looks like Dovecot will get the current certificate, problem is only with Postfix.
But what happens to Dovecot and Postfix when we deselect "SSL/TLS certificate for mail" on a domain?
They both default to the standard mail certificate as set in "Tools & Settings | SSL/TLS Certificates"
For me this is not an option for Dovecot, as I previously had an own solution based on acme.sh to provide SNI-based certificates. So all my users email client accounts are set up for IMAP to expect the correct domain and certificate )-:
What to do? I need the automatic update of /var/spool/postfix/plesk/certs.db asap! I'm sure many others will too, as the 3-month certificates from Lets Encrypt now start to expire.
Last idea: What about using a wildcard cert as noted in the FAQ?
A hassle to have to add a DNS record, but never mind, tried it.
o Dovecot works as expected, picks up the new wildcard cert in /opt/psa/var/certificates
o Postfix - hard to tell. The new wildcard cert has been put into /var/spool/postfix/plesk/certs.db - but will it be updated?