• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved SNI Enabled but Aliased Domain not in Mail Cert?

G J Piper

G J Piper

Regular Pleskian
I have a domain (askb.org) set up for mail with Let's Encrypt enabled and it issues certificates for the website.
I added www.mail.askb.org as an alias to the domain so my clients' existing email server setups would not have to be changed to the root domain (they all use mail.askb.org).
I can secure the webmail and website and mail using the cert, but the mail cert shows that the alias isn't included in it even though the website cert shows it as an alt?
Going directly to the domain's mail settings allows me to only add the main domain's cert (which presumably should have the added mail. cert in it as an alt domain like the rest)
Confused...
Mail clients don't show the "mail.askb.org" domain so they fail verification unless the settings are changed in the clients' mail settings.

Running:
Code: 
openssl s_client -connect mail.askb.org:465
reveals that the server still only uses the main mail certificate for all domains?

If I change the main mail server certificate to be the askb.org lets encrypt cert then it works, but it looks like individual domains on the server do not override that setting with their own Let's Encrypt cert.

Screen-Shot-2019-10-02-at-11.49.38-PM.jpg Screen-Shot-2019-10-02-at-10.37.45-PM.jpg
 
Last edited:
Upon further testing this seems to be working now. Not sure why remote queries show the main server cert instead of the sni ones, but actual mail clients seem to see the correct ones.
 
Hello GJ Piper

I don't see the same parameters than you in the email domain preferences...
How did you get this ?
I only have SSL/TLS certificate for webmail

Pretty upseted by Plesk on this point for many years now...
I was told that Obsidian will solve this problem and nothing changed


[EDIT]: my mistake !
Everything is OK.
Just have to migrate all customers emails to Obsidian now...
 
Last edited:
MARS_NETWORKS said:
Pretty upseted by Plesk on this point for many years now...
I was told that Obsidian will solve this problem and nothing changed
Click to expand...
But they changed it in Obsidian?! That fact you are seeing his screenshot doesn't convince you?

If you don't see same options like GJ Piper then some option may be disabled at your installation. Especially if you run upgrade from Onyx instead of clean install. Check their documents. I can't find link anymore but i saw some settings need to be enabled manually if you are upgrading from Onyx. Better yet ask their support directly.
 
As I know only postfix and dovecot support SNI. So SNI will not be available for you in case if you're using courier-imap or qmail.
 
You must log in or register to reply here.

Similar threads

futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
293
futureweb
futureweb
J
Resolved WordPress Network setup on Alias -- how to add alternative domains with Lets Encrypt SSL Certs?
Replies
3
Views
373
joell
J
PrimeSites
Issue Server-wide backup invalidates SSL cert when deployed on back-up server
Replies
4
Views
456
PrimeSites
PrimeSites
S
Question Mail subdomains with wrong TLS certificate (e.g. imap.example.tld)
Replies
1
Views
260
Kaspar
K
carlsson
Issue Mail on Plesk, web on other provider, how do I create a correct SSL?
Replies
2
Views
167
carlsson
carlsson
Back
Top