• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved SSL cert problem for mail after cert update

P

Powerdynamo

New Pleskian
OS:
‪Ubuntu 14.04.5 LTS‬
Plesk version 12.5.30 Update #55

as my odin cert had expired, i installed a new, first a self signed, than a trusted from comodo.
cert in the name of the server xxonline.info.
i can start plesk without any cert warning now, nut have problems with mail.

i installed this cert also in postfix and dovecot.
when i access mail via a domain, the mail client warns that cert is not matching - i can see the correct cert, but, sure, this is for xxonline.info and the client warns.

now, no problem to instruct the mail clients to accept.
BUT, and this is a big issue - ios10 via iphone has no provision to accept this (ipad with same ios has for some reason).

how do i get round the issue?

did not happen in old odin cert as long as it was valid, after it had expired there was also a problem with IOS10

thank you
 
Hi Powerdynamo,

Powerdynamo said:
BUT, and this is a big issue - ios10 via iphone has no provision to accept this (ipad with same ios has for some reason).
Click to expand...
Pls. consider to add MORE allowed ciphers. It could help you, to check your certificate ( with very detailed descriptions after the check! ) at: => https://www.ssllabs.com/ssltest/index.html so that you are able to understand, that several browsers/eMail-Clients are just not able to handshake with all protocols and ciphers - lists.

Additional descriptions and informations can be found here: => #2 / #100 / https://kb.plesk.com/7013 / ( or/and use the FORUM - SEARCH: => https://talk.plesk.com/search/search?&keywords="cipher" or the Plesk Knowledge - Base SEARCH: => https://kb.plesk.com/?q=ciphers&qprod=1&qlang=de&qLangEn=0&displayNumber=100 )


A very good site to inform yourself about ciphers - lists and protocols ( with "configuration generator" ): => https://wiki.mozilla.org/Security/Server_Side_TLS



Recommended commands to change several services with your UNIQUE, CUSTOM ciphers - lists / protocols:

Global example with the Plesk "sslmng utility" ( => pls. use the SSH - command ( logged in as user "root" ) => "plesk sbin sslmng -h" / "plesk sbin sslmng --help" for more options/informations )

For ALL services:

plesk sbin sslmng --custom --ciphers="YOUR-DESIRED-CIPHERS-LISTS" --protocols="TLSv1 TLSv1.1 TLSv1.2"

For specific services:

plesk sbin sslmng --services=SERVICE-NAME --custom --ciphers="YOUR-DESIRED-CIPHERS-LISTS" --protocols="TLSv1 TLSv1.1 TLSv1.2"

List available services: plesk sbin sslmng -l / plesk sbin sslmng --show-custom


Per service examples:

plesk sbin sslmng --services=postfix --custom --ciphers="YOUR-DESIRED-CIPHERS-LISTS" --protocols="TLSv1 TLSv1.1 TLSv1.2"

plesk sbin sslmng --services=dovecot --custom --ciphers="YOUR-DESIRED-CIPHERS-LISTS" --protocols="TLSv1 TLSv1.1 TLSv1.2"


Plesk actually recommends to use the following ciphers - list:
Code: 
EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20
I personally recommend to use:
Code: 
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS




Additional help recommendations:

Use for example the tool "Cipherscan" ( https://github.com/mozilla/cipherscan ), to test ciphers for a specific (sub)domain.

Example SSH - commands ( logged in as user "root" ) to install "cipherscan":
Code: 
mkdir -p /root/addons/ssl/cipherscan
cd /root/addons/ssl/cipherscan
wget https://github.com/mozilla/cipherscan/archive/master.zip
unzip master.zip -d /root/addons/ssl/cipherscan
Example usage "cipherscan":

/root/addons/ssl/cipherscan/cipherscan-master/cipherscan YOUR-DOMAIN.COM__OR__SUBDOMAIN.YOUR-DOMAIN.COM
 
You must log in or register to reply here.

Similar threads

I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
2K
iainh
I
andreios
Issue Auto renew of wildcard cert. fails because Plesk doesn't apply DNS template changes
Replies
8
Views
2K
andreios
andreios
M
Resolved Outlook Error 0x800ccc1a after Client update to Windows 11 22H2
Replies
3
Views
1K
bazzil
B
I
Issue Postfix uses old cert for local connections only
Replies
1
Views
736
iam_bosko
I
A
Issue Plesk mail on iphone with cert problems
Replies
17
Views
2K
Alex Cote
A
Back
Top