Question Secure mail.customerdomain.com with Let's Encrypt certificate with no hosting

[tofra]

I have a service plan where hosting is disabled and mail is enabled. Now when I request a Let's Encrypt certifcate (with SSL It!) I only get the option to request a certificate for webmail.customerdomain.com, not for securing the mail, which the customer can reach with mail.customerdomain.com.
Another option would be that the customer uses customerdomain.com for fetching the mail, but that is not possible when the customer has his website running somewhere else (as Let's Encrypt looks for customerdomain.com for using the .well-known stuff).

I also tried using the CLI:
[root@pleskhost ~]# plesk ext sslit --certificate -issue -domain mail.customerdomain.com -registrationEmail [email protected] -secure-webmail -secure-mail
Can not find domain by name 'mail.customerdomain.com'
exit status 3

And:
[root@pleskhost ~]# plesk ext sslit --certificate -issue -domain customerdomain.com -registrationEmail [email protected] -secure-webmail -secure-mail
[2021-11-15 17:11:11.853] 3023630:6192869f97f38 ERR [extension/sslit] Unable to secure domain customerdomain.com via CLI Validation failed:
Unable to secure a mail due to configuration of the specified domain.
Validation failed:
Unable to secure a mail due to configuration of the specified domain.
exit status 3

So how could I secure the mail with the assumption the mail runs at our plesk server, and the website somewhere else?
I prefer mail.customerdomain.com, but customerdomain.com would be ok if mail.customerdomain.com is not possible

Kind regards,
Tom

 

[IgorG]

Unfortunately, now such a scenario of securing mail without domain web hosting is not implemented. We are considering such a possibility as part of the
EXTSSLIT-1406 request, but there is no ETA of implementation at the moment.

 

[dlabsnl]

What is the status on this?

 

[Maarten]

The only way to do this is as follows:
- unassigned the certificate of domain.com
- reissue a new certificate on domain.com for webmail.domain.com
- create a mail.domain.com subdomain
- issue a certificate on mail.domain.com
- create a cronjob (scheduled task) to assign the mail.domain.com certificate to the mail settings of domain.com:
- /sbin/plesk bin subscription_settings -u domain.com -mail_certificate "Lets Encrypt mail.domain.com"

That should do it.

 

[dlabsnl]

Hello,

Thank you for your reply. How should I add the subdomain? I can't select the domain without hosting. When I press the add subdomain button in Plesk.

Ty.

 

[ChristophRo]

Just enable the hosting on the domain, technically this does not hurt or cause any problem

 

[wakabayashi]

Would like to see this option, too. Thought I would be clever and clean with the "no web hosting" selection for my subdomain mail.example.com. Unfortunately it breaks the Lets Encrypt Reissue.

 

[Kaspar]

Would like to see this option, too. Thought I would be clever and clean with the "no web hosting" selection for my subdomain mail.example.com. Unfortunately it breaks the Lets Encrypt Reissue.

Just as an FYI, support for securing a mail.* sub domain has been introduced in version 18.0.67, unfortunately only for subscriptions with the "no web hosting" type. (But if that's what you're after, then you are in luck).

 

[wakabayashi]

Just as an FYI, support for securing a mail.* sub domain has been introduced in version 18.0.67, unfortunately only for subscriptions with the "no web hosting" type. (But if that's what you're after, then you are in luck).

No idea if this is really working. Probably not in comination with cloudflare.

Just enable the hosting on the domain, technically this does not hurt or cause any problem

I just did this after being on "no web hosting" type. My whole email transfer for all domains is now completly broken. So other guys: be careful what you do.

 

[Kaspar]

No idea if this is really working. Probably not in comination with cloudflare.

I don't see why this wouldn't work with cloudflare.

 

[wakabayashi]

The mail.domain.com ssl certificate was just not renewed. That how all my problems startet. So I tried to change a few things (like switching to "website" instead of "no web hosting") - no everything is broken.

It's seems to be really hard to configure a mail server when you have multiple domains and using cloudflare.

 

[wakabayashi]

Ok I have found the real issue: Incoming mail to Plesk server is rejected by Spamhaus BL: Error: open resolver I never saw something like that before - world seems to get out of control

So I have to correct: Changing from "no web hosting" to "website" can indeed be the solution.

The "no web hosting" is working, if your SSL is entirely handled by plesk. When using cloudflare for your web traffic you have to add a subdomain mail.domain.com. This you save with an SSL (Lets Encrypt) in Plesk. This all works fine, but I believe the mail.domain.com SSL certificate will just run out and is not renewed. I might be wrong, but this is my impression.

BTW: is it not possible to edit posts here in the forum?

 

[Kaspar]

Good to read you've got things sorted.

The "no web hosting" is working, if your SSL is entirely handled by plesk. When using cloudflare for your web traffic you have to add a subdomain mail.domain.com. This you save with an SSL (Lets Encrypt) in Plesk. This all works fine, but I believe the mail.domain.com SSL certificate will just run out and is not renewed. I might be wrong, but this is my impression.

That would entirely depend on your setup. Cloudflare should not block any certificate renewal, but if you're using CF as your DNS provider and use a wild card certificate for mail, then a manual adding the required DNS record for verification might be needed.

BTW: is it not possible to edit posts here in the forum?

There is a time limit to edit previous post, because (sadly) the edit function gets abused a lot by spammers on the forum.

 

[wakabayashi]

That would entirely depend on your setup. Cloudflare should not block any certificate renewal, but if you're using CF as your DNS provider and use a wild card certificate for mail, then a manual adding the required DNS record for verification might be needed.

That's not what I wanted to say. Cloudflare does not prevent anything. It's plesk that might have issues with a more complex setup.






The setting looks now correct to me and is working, but plesk is telling about mail.mail.domain.com. This looks dubious:


As I wanted to check if renewal is working. I tried also clicking on Reissue Certificate:


So I am really not sure, what is going on here. Will plesk renew my mail.domain.com certificate with mail.mail.domain.com!?

 

[Kaspar]

[...] So I am really not sure, what is going on here. Will plesk renew my mail.domain.com certificate with mail.mail.domain.com!?

If mail.mail.domain.com can be resolved and you've already issued a certificated for it, then it probably will renew fine.