• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved SNI Enabled but Aliased Domain not in Mail Cert?

G J Piper

Regular Pleskian
I have a domain (askb.org) set up for mail with Let's Encrypt enabled and it issues certificates for the website.
I added www.mail.askb.org as an alias to the domain so my clients' existing email server setups would not have to be changed to the root domain (they all use mail.askb.org).
I can secure the webmail and website and mail using the cert, but the mail cert shows that the alias isn't included in it even though the website cert shows it as an alt?
Going directly to the domain's mail settings allows me to only add the main domain's cert (which presumably should have the added mail. cert in it as an alt domain like the rest)
Confused...
Mail clients don't show the "mail.askb.org" domain so they fail verification unless the settings are changed in the clients' mail settings.

Running:
Code:
openssl s_client -connect mail.askb.org:465
reveals that the server still only uses the main mail certificate for all domains?

If I change the main mail server certificate to be the askb.org lets encrypt cert then it works, but it looks like individual domains on the server do not override that setting with their own Let's Encrypt cert.

Screen-Shot-2019-10-02-at-11.49.38-PM.jpg Screen-Shot-2019-10-02-at-10.37.45-PM.jpg
 
Last edited:
Upon further testing this seems to be working now. Not sure why remote queries show the main server cert instead of the sni ones, but actual mail clients seem to see the correct ones.
 
Hello GJ Piper

I don't see the same parameters than you in the email domain preferences...
How did you get this ?
I only have SSL/TLS certificate for webmail

Pretty upseted by Plesk on this point for many years now...
I was told that Obsidian will solve this problem and nothing changed


[EDIT]: my mistake !
Everything is OK.
Just have to migrate all customers emails to Obsidian now...
 
Last edited:
Pretty upseted by Plesk on this point for many years now...
I was told that Obsidian will solve this problem and nothing changed
But they changed it in Obsidian?! That fact you are seeing his screenshot doesn't convince you?

If you don't see same options like GJ Piper then some option may be disabled at your installation. Especially if you run upgrade from Onyx instead of clean install. Check their documents. I can't find link anymore but i saw some settings need to be enabled manually if you are upgrading from Onyx. Better yet ask their support directly.
 
As I know only postfix and dovecot support SNI. So SNI will not be available for you in case if you're using courier-imap or qmail.
 
Back
Top