• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Forwarded to devs Postfix SNI TLS-Certs not auto-updated

Fredrik Svensson

Fredrik Svensson

New Pleskian
User name: Fredrik Svensson

TITLE

Postfix SNI TLS-Certs not auto-updated

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian v18.0.30_build1800200918.13 os_CentOS 7

PROBLEM DESCRIPTION

Certificates issued by Let's Encrypt, used for email, are not automatically replaced for postfix (SMTP) when the actual certificate is updated by Let's Encrypt.

The certificates for Postfix for that domain are stored by Plesk in /var/spool/postfix/plesk/certs.db but this is not auto updated unless you manually toggle 'SSL/TLS Certificate for e-mail' to "None choosen" and back again.

Dovecot, incoming email, no problem. The auto updated certificates from Let's Encrypt are stored and used there but not for postfix so outgoing emails are stopped default 90 days after Let's Encrypts first generation of the cert.

Apparantly it doesn't matter whether the extension SSL-IT is used or not. The bug is still there.

Please read more here: Issue - Postfix SNI TLS-Certs not auto-updated

STEPS TO REPRODUCE

Create a Let's Encrypt certificate, either wildcard or directly for mail.yourdomain.com, and use it as the certificate for E-mail in Plesk Control Panel. When this certificate is auto updated (default 60 days later) it will be put in use by Plesk for the main webb domain AND for Dovecot (incoming mail) but NOT for Postfix (SMTP).

ACTUAL RESULT

SMTP eventually stops working since the used (old) certificate by postfix will be invalid 90 days later.

EXPECTED RESULT

We want Postfix to use the same (newly refreshed) certificate as Dovecot.

ANY ADDITIONAL INFORMATION

Issue - Postfix SNI TLS-Certs not auto-updated

This morning I could not send mail from some accounts, Thunderbird said the certificate has expired. Problem: When selecting "SSL/TLS certificate for mail" in the mail settings of an individual domain, the certificate for Postfix for that domain is stored by Plesk in...
talk.plesk.com talk.plesk.com

If this has been reported already as an official bug I apologize but I couldn't find it beeing forwarded to your technicians anywhere.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Hi @Fredrik Svensson
may I ask you about more details how to reproduce this case.
What are LetsEncrypt and SSLit! versions of extensions you have installed? I believe they are the latest - LE 2.12.0 and SSLit! 1.6.0 but just to be sure.
When you issue certificate for domain do you mark checkbox to secure mail or do you assign certificate to mail through Mail settings afterwards?
Is there anything specific in your mail configuration you may think of? Just trying to find the exact steps to reproduce since on my test set with LetsEncrypt and SSLit!, Plesk 18.0.30, CentOS 7 certificate is autorenewed for Postfix as well.
 
@ybabaeva
We don't use SSLit. It's not even installed. We assign the certificate through Mail settings afterwards. Two cases:
1) Wildcard Let's Encrypt certificate used for both www & mail.
2) Regular Let's Encrypt certificate only used for mail.domain.com (when the customers A record for www points to some other place).

In both cases we manually mark the generated certificate to be used for the customers mail.
We though of testing SSLit but when reading more about our problem we understood that it would not help since other people (with SSLit) are experiencing the same thing.

It's nothing special about our setup at all. The certificate itself is updated but the file /var/spool/postfix/plesk/certs.db is not updated when Let's Encrypt certificates are auto updated.

I understand it can be somewhat cumbersome to recreate this fault in a lab environment since you have to wait for the auto-renew procedure to kick in. Maybe you can fool the system by setting in panel.ini:
[ext-letsencrypt]
renew-before-expiration = 90

After such renewal from Let's Encrypt you can, for instance, use an online service like Mailserver encryption test (STARTTLS, TLS and PFS) · SSL-Tools where you can see the expiration date of the mail certificate OR you can issue the following commands on the server and you will notice that the used certificate differs.

1) Will show the correct renewed certificate
# openssl s_client -showcerts -connect mail.mydomain.se:995 -servername mail.mydomain.se

2) Will show the old obsolete certificate
# openssl s_client -starttls smtp -showcerts -connect mail.mydomain.se:587 -servername mail.mydomain.se
 
Last edited:
@Fredrik Svensson , thank you for your answer!
The thing is that in scope of fix for EXTLETSENC-884 bug we plan to add clear warning that standalone LetsEncrypt extension does not support renewal of certificate on mail. Only SSLit! extension supports such renewal - this feature to secure mail service was introduced in December 2019. So probably other people with SSLit! complained before this functionality was implemented.
I'm particularly interested if you managed to face the issue with renewal on mail with both LE and SSLit! installed. Just tested that it works for me with same Plesk, same OS - file /var/spool/postfix/plesk/certs.db is updated, new certificate is returned by both Postfix and Dovecot. So with LE and SSLit! extensions it's supposed to be working, and if there is some bug I'm really willing to find out the details how to reproduce it.
 
ybabaeva said:
@Fredrik Svensson , thank you for your answer!
The thing is that in scope of fix for EXTLETSENC-884 bug we plan to add clear warning that standalone LetsEncrypt extension does not support renewal of certificate on mail. Only SSLit! extension supports such renewal - this feature to secure mail service was introduced in December 2019. So probably other people with SSLit! complained before this functionality was implemented.
I'm particularly interested if you managed to face the issue with renewal on mail with both LE and SSLit! installed. Just tested that it works for me with same Plesk, same OS - file /var/spool/postfix/plesk/certs.db is updated, new certificate is returned by both Postfix and Dovecot. So with LE and SSLit! extensions it's supposed to be working, and if there is some bug I'm really willing to find out the details how to reproduce it.
Click to expand...
We're using Plesk Obsidian 18.0.43 on Linux.

We're importing a certificate for a domain using plesk bin certificate --update . We're facing the same issue where /var/spool/postfix/plesk/certs.db isn't being regenerated.

Is there a way that a command-line tool can trigger the above update, similar to what happens when SSLit generates a certificate?
 
Still the same problem when using the command :
Bash: 
plesk bin certificate --update 'domain.com certificate' -domain domain.com
The new certificate is not deployed on Postfix. Actual workaround is to run this command after :
Bash: 
plesk bin subscription_settings --update domain.com -mail_certificate 'domain.com certificate'
Found here.
 
You must log in or register to reply here.

Similar threads

C
Question SSL certificate location for Prosody import
Replies
7
Views
2K
Kaspar
K
I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
2K
iainh
I
zwankie
Question Also allow non-SSL SMTP Connections
Replies
2
Views
1K
zwankie
zwankie
W
Resolved disable plaintext (PLAIN) authentication in imap/dovecot and smtp/postfix breaking webmail/roundcube
Replies
2
Views
6K
Wolfgang Reidlinger
W
A
Question Update Let's Encrypt not working with mailserver SSL
Replies
0
Views
790
ahbirkner
A
Back
Top