Question Secure mail protocols while website on other server (A to a different IP)

[easyware]

Server operating system version

CentOS Linux 7.9.2009 (Core)

Plesk version and microupdate number

lesk Obsidian v18.0.61_build1800240603.06

Hi, I have this issue with one of my customers.
I have always provided web hosting and mail services, the customer decided to develop the website with another company which wanted to use his own server for hosting.
I have changed the DNS settings so the A record points to this external server's IP.
The issue comes generating Let's Encrypt Certificate to secure the mail protocols and the webmail as the ACME Challenge obviously fails.
The website's company is strict about using his server for hosting, Is there a way I can solve the problem?

 

[Kaspar@Plesk]

Instead of using their domain name for connecting to the mail services on your server, your customer could connect using the host name of your server.

Issues Let's Encrypt Certificate for the mail protocol will fail, but should still be possible for webmail (if all other certificate options are not selected).

 

[easyware]

I managed to solve the issue by manually issuing the certificate for the subdomains that I need to be protected (webmail.* and mail.*).
I will leave here what I have done, as reference for whom may need to solve the same problem.

I used a tool named CERTBOT (reference for the installation of the tool: https://certbot.eff.org/), that provides an interface to generate Let's Encrypt certificates.

With a command like this I was able to generate the certificate.

certbot certonly -a manual --preferred-challenges dns -d MAILSUBDOMAIN -d WEBMAILSUBDOMAIN -m MAIL_TO_BE_NOTIFIED_ON_EXPIRE

* MAILSUBDOMAIN and WEBMAILSUBDOMAIN are my mail.mysite.com and webmail.mysite.com
* MAIL_TO_BE_NOTIFIED_ON_EXPIRE is the mail address where I prefer to receive expire notifications ([email protected])

The tools asks to insert a CNAME entry for every subdomain in the DNS settings to resolve the DNS challenge and if everything is OK it generates these files:

• cert.pem
• chain.pem
• fullchain.pem
• privkey.pem

IMPORTANT - Plesk will give error trying to import these files.

To import the certificate in Plesk I had to open the fullchain.pem and append the content of the privkey.pem.
After importing the modified fullchain.pem I just had to activate it for the mail protocols and the webmail.

This has been a perfect fix for the issue, I am now thinking about a paid certificate that at least has a 12 months renewal as the Free Let's Encrypt certificate needs to be renewed every three months.

If installed on the server CERTBOT could be set to automatically renew the certificates, but I have not checked into that yet.

 

[ChristophRo]

with this method you will need to check and update these DNS records manually every two months. (the certbot renewal will fail otherwise)

 

[easyware]

Yeah it was a quick fix, as I said I will check for alternatives but at least I have quickly solve the issue with my customer.