• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved SSL cert problem for mail after cert update

P

Powerdynamo

New Pleskian
OS:
‪Ubuntu 14.04.5 LTS‬
Plesk version 12.5.30 Update #55

as my odin cert had expired, i installed a new, first a self signed, than a trusted from comodo.
cert in the name of the server xxonline.info.
i can start plesk without any cert warning now, nut have problems with mail.

i installed this cert also in postfix and dovecot.
when i access mail via a domain, the mail client warns that cert is not matching - i can see the correct cert, but, sure, this is for xxonline.info and the client warns.

now, no problem to instruct the mail clients to accept.
BUT, and this is a big issue - ios10 via iphone has no provision to accept this (ipad with same ios has for some reason).

how do i get round the issue?

did not happen in old odin cert as long as it was valid, after it had expired there was also a problem with IOS10

thank you
 
Hi Powerdynamo,

Powerdynamo said:
BUT, and this is a big issue - ios10 via iphone has no provision to accept this (ipad with same ios has for some reason).
Click to expand...
Pls. consider to add MORE allowed ciphers. It could help you, to check your certificate ( with very detailed descriptions after the check! ) at: => https://www.ssllabs.com/ssltest/index.html so that you are able to understand, that several browsers/eMail-Clients are just not able to handshake with all protocols and ciphers - lists.

Additional descriptions and informations can be found here: => #2 / #100 / https://kb.plesk.com/7013 / ( or/and use the FORUM - SEARCH: => https://talk.plesk.com/search/search?&keywords="cipher" or the Plesk Knowledge - Base SEARCH: => https://kb.plesk.com/?q=ciphers&qprod=1&qlang=de&qLangEn=0&displayNumber=100 )


A very good site to inform yourself about ciphers - lists and protocols ( with "configuration generator" ): => https://wiki.mozilla.org/Security/Server_Side_TLS



Recommended commands to change several services with your UNIQUE, CUSTOM ciphers - lists / protocols:

Global example with the Plesk "sslmng utility" ( => pls. use the SSH - command ( logged in as user "root" ) => "plesk sbin sslmng -h" / "plesk sbin sslmng --help" for more options/informations )

For ALL services:

plesk sbin sslmng --custom --ciphers="YOUR-DESIRED-CIPHERS-LISTS" --protocols="TLSv1 TLSv1.1 TLSv1.2"

For specific services:

plesk sbin sslmng --services=SERVICE-NAME --custom --ciphers="YOUR-DESIRED-CIPHERS-LISTS" --protocols="TLSv1 TLSv1.1 TLSv1.2"

List available services: plesk sbin sslmng -l / plesk sbin sslmng --show-custom


Per service examples:

plesk sbin sslmng --services=postfix --custom --ciphers="YOUR-DESIRED-CIPHERS-LISTS" --protocols="TLSv1 TLSv1.1 TLSv1.2"

plesk sbin sslmng --services=dovecot --custom --ciphers="YOUR-DESIRED-CIPHERS-LISTS" --protocols="TLSv1 TLSv1.1 TLSv1.2"


Plesk actually recommends to use the following ciphers - list:
Code: 
EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20
I personally recommend to use:
Code: 
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS




Additional help recommendations:

Use for example the tool "Cipherscan" ( https://github.com/mozilla/cipherscan ), to test ciphers for a specific (sub)domain.

Example SSH - commands ( logged in as user "root" ) to install "cipherscan":
Code: 
mkdir -p /root/addons/ssl/cipherscan
cd /root/addons/ssl/cipherscan
wget https://github.com/mozilla/cipherscan/archive/master.zip
unzip master.zip -d /root/addons/ssl/cipherscan
Example usage "cipherscan":

/root/addons/ssl/cipherscan/cipherscan-master/cipherscan YOUR-DOMAIN.COM__OR__SUBDOMAIN.YOUR-DOMAIN.COM
 
You must log in or register to reply here.

Similar threads

R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
890
tessa67
T
futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
1K
futureweb
futureweb
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
1K
scpcomp
S
I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
3K
iainh
I
andreios
Issue Auto renew of wildcard cert. fails because Plesk doesn't apply DNS template changes
Replies
8
Views
2K
andreios
andreios
Back
Top