Question Separating mail server from the web hosting

[Mike99]

Hello fellow Pleskians,

I would like to separate e-mail services from the web hosting,

I came to a point, where e-mails are taking too much of my precious expensive NVMe disk space, I want to separate e-mails to another server run by Plesk to manage mailboxes.

I have read Is it possible to have separate external web and mail servers in Plesk? but I don't think this is my case, I use separate DNS, willing to do some manual work.

Can experienced Plesk users give me a hint or tell me from their experience, my concerns are:

1. Will separating e-mails somehow affect Lets Encrypt certificates on original web server?
   My idea is, that once servers are separated, I will regenerate naked domain and www on the original server, then on the new e-mail server, I will create subscription for the same domain and generate only webmail.example.com SSL certificate where webmail.example.com A DNS will point to the new mail server.
2. Will Plesk Migrator extension do the job?
   From reading the docs, I figured out, that I will migrate existing e-mail data from old webserver to new e-mail server with Plesk Migrator extension, then after switching all the DNS data on all domains, I will resynch according to How to sync content between source and destination servers after migration?. Will this work?
3. I want to change server names, so the original and running web server will get new server name new.example.com and the original server name will be switched to the e-mail server as original.example.com, so clients don't have to change their settings in Outlook/Thunderbird/etc.
   My question is - this going to work? My plan is to regenerate Let Encrypt after the switch and keep resynching plesk migrator until new reverse DNS for the new server names are resolved. Is this right or am I missing something?

Thank you for any valuable input.

Mike

 

[Noam Harel]

Hi,
me myself didn't do that kind of thing in our hosting company, BUT, in my opinion you can migrate with the migration tool to the new server choosing only web related objects and not mail related objects. about certificates, there is no problem to take old let's encrypt certificate and migrate it to the new server, the migrator should also migrate the certificate but you can always migrate it manually and it should work well on both servers.

reading concern no.2 that you wrote, i think that migrating the web related objects is way easier than migrating web related objects from experience.

 

[mow]

1. Will separating e-mails somehow affect Lets Encrypt certificates on original web server?
   My idea is, that once servers are separated, I will regenerate naked domain and www on the original server, then on the new e-mail server, I will create subscription for the same domain and generate only webmail.example.com SSL certificate where webmail.example.com A DNS will point to the new mail server.
2. I want to change server names, so the original and running web server will get new server name new.example.com and the original server name will be switched to the e-mail server as original.example.com, so clients don't have to change their settings in Outlook/Thunderbird/etc.

Unless you already have configured your mailserver on a subdomail like mail.example.com, your clients will have to change settings as the mail server address right now is probably the naked domain example.com. Which will have to stay at the original server.
You could try separating example.com and www.example.com, but that will involve finding a solution for syncing the certificates to the new server (and reloading the config on certificate changes), and you would need a stub webserver that redirects to the www. one, so it's probably easier to just have mail. and webmail. on the new server.

 

[Mike99]

So for anyone interested in separating e-mail server from the web server, this is what I found so far:

I set up two Plesk installations, one hosting example.com webserver only, the other e-mails only.

A DNS records for naked and www were pointing to server 1
MX DNS records, A for webmail and mail were pointing to server 2

This configuration works - emails were delivered BUT:

1. Autoconfig will not work, because of how it is designed and implemented in Plesk.
2. Letsencrypt will not work with webmail.example.com, or at all on a server that does not host the naked domain,

Could not issue an SSL/TLS certificate for example.com
Details
Could not request a Let's Encrypt SSL/TLS certificate for example.com.

Go to http://example.com/.well-known/acme-challenge/70FsmXYx3HJkWfsdfsdX1C9yODHOnZDUq67lbPk6BKpSZFI
and сheck if the authorization token is available.
If it is, try to request the certificate again. If the token is not available, there may be an issue with your DNS configuration.
Your domain in Plesk is hosted on the IP address(es): X.Y.Z.Z, but the DNS challenge used another IP: X.Y.Z.Z.
Make sure that the IP address(es) specified in the domain's DNS zone match the IP address(es) the domain is hosted on.
If it does not help or if you cannot find an issue with your DNS configuration, use this KB article for troubleshooting.

The problem is, that SSL It and Letsencrypt extensions are programmed to challenge the naked domain that is hosted on another server, even if you instruct it to secure only webmail subdomain. Not even wildcard certificate works from other servers.

Solution

Letsencrypt is perfectly capable of creating a wildcard certificate that is challenged by DNS, one option is to create this certificate on the server with naked domain and copy it to the mail server, using just Plesk extensions.

Another solution is to create two separate wildcard certificates used by both servers independently, or issue certificates manually on the mail server with something like certbot.

If anybody more experienced has anything to say, please do, I hope there will be no more surprises along the way.