SSL installation on port 465 - Plesk 11.5

[Shiney]

Hi all

I wonder if someone can help or shed any light on an issue please.
I have a single IP VPS running Plesk 11.5 (Linux) which has multiple domains hosted on it. I purchased an SSL and installed this for one domain only www.domainname1.co.uk, the SSL also covers domainname1.co.uk and mail.domainname1.co.uk. The rest of the VPS uses the standard, self signed Parallels certificate.

I am trying to add an email address to outlook 2007 [email protected] using port 465 and SSL connection. The SMTP is mail.domainname1.co.uk on which the SSL is correctly installed.
However, when setting up, Autodiscover only finds the Parallels self signed certificate and produces the warning about it. If I set up the email manually, when I try to send the same warning pops up as it has again only found the Parallels self signed cert.

I have spoken to the issuer of the SSL and they have advised I have installed this on port 443 on the Plesk VPS and I would need to install on port 465 for use with outlook 2007.
The question is, how do I go about doing this please bearing in mind that there are other domains on the VPS not related to the one in question such as www.domainname2.co.uk www.domainname3.co.uk etc.

Is there a way of specifying an SSL for a particular domain name for port 465 within plesk and is this expandable to other domains in the future as the plan is to slowly secure a few more?
Due to cost, buying an SSL to cover every single domain on the VPS is out of the question so I am trying to find an individual method if at all possible.

**EDIT** It appears I can append to the postfix_default.pem file the question is do I include both private keys as well as the certificates? IE parallels private key and the new SSL one?

Thanks in advance,
Kind regards

 

[Eileen Quick]

Hi There - I have a similar setup as you and am having similar problems.

I have purchased an ssl certificate for the control panel which replaces the default and covers all the customers when they log in to use the control panel (using control.myname.com then their username and password) but I cannot get mail to work at all and everything I do gives me a security warning about the certificate - I am using Outlook 2007 as well. I have just started with this and am about to put all my customers on. However I cant do this whilst I am getting all these certificate security issues.

I understood that if you put a copy of the control panel certificate in the imap, pop3 and smpt file then as long as you use the same domain name ie control.myname.com then everything should work and you should not get the security warnings. Tearing my hair out at the moment.

Anyone got any ideas?

 

[Shiney]

Hi There - I have a similar setup as you and am having similar problems.

I have purchased an ssl certificate for the control panel which replaces the default and covers all the customers when they log in to use the control panel (using control.myname.com then their username and password) but I cannot get mail to work at all and everything I do gives me a security warning about the certificate - I am using Outlook 2007 as well. I have just started with this and am about to put all my customers on. However I cant do this whilst I am getting all these certificate security issues.

I understood that if you put a copy of the control panel certificate in the imap, pop3 and smpt file then as long as you use the same domain name ie control.myname.com then everything should work and you should not get the security warnings. Tearing my hair out at the moment.

Anyone got any ideas?

Hi Eileen.
I think yours is slightly different if you have bought an SSL to cover the panel, mine is just domain specific. I believe with yours (providing you have the domain mail.yourmaindomain.com yourmaindomain.com and www.yourmaindomain.com added to the SSL when you purchased it) if you are wanting to cover the entire panel you can set this as default within plesk or you can just replace the 3 postfix files as per this document http://wpguru.co.uk/2014/12/plesk-mail-ssl/ or this onehttp://secure.hens-teeth.net/orders...talling-an-SSL-certificate-for-email-use.html This will replace the parallels self signed cert. However, when you do that Outlook 2007 may still throw up the warning (or class you as spam/junk) as there will be a domain mismatch. IE pop3 will be mail.yourclientdomain.com and smtp would be mail.yourmaindomain.com . This can be resolved by adding the include parameter in your SPF.
Hope that helps a little.

 

[UFHH01]

Hi Shiney,

**EDIT** It appears I can append to the postfix_default.pem file the question is do I include both private keys as well as the certificates? IE parallels private key and the new SSL one?

This is NOT possible.


You have the choice to define these ( standard!! ) certificate - files in your "main.cf"

smtpd_tls_CAfile=/PATH/TO/YOUR/CA-FILE
smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE

... while you can define other certificates in your "master.cf", as for example:

XXX.XXX.XXX.XXX:smtp inet n - - - - smtpd
    -o smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
    -o smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE
...

XXX.XXX.XXX.XXX:smtps   inet n - - - - smtpd
    -o smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
    -o smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE
...

XXX.XXX.XXX.XXX:submission inet n - - - - smtpd
    -o smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
    -o smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE
...

plesk-YOUR-DOMAIN.COM-XXX.XXX.XXX.XXX- unix - n n - - smtp
    -o smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
    -o smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE
...

( where XXX.XXX.XXX.XXX has to be replaced with your IP )


If you don't define another certificate in your "main.cf" for a IP/domain, the defined standard from the "main.cf" is used.

 

[Shiney]

Hi UFHH01

Thank you for your reply and I didn't realise this wasn't possible. When I spoke to the certificate issuer they said it was possible which is why I went down that path.
Ok, as I have never done this before, can you help further please.

I have installed the SSL certificate on the sever but do not know the path to the files. Do I need to upload these separately to another directory on the server or is there an existing path (that plesk always uses to store these)?
Secondly, where is the main.cf file held to edit this? Do I need to edit BOTH main.cf and master.cf for this to work correctly?
Lastly, is this for SSL or TLS as I saw this in the code. It's SSL I was after.

Sorry for the lack of understanding.
Thank you.

 

[UFHH01]

Hi Shiney,

I have installed the SSL certificate on the sever but do not know the path to the files. Do I need to upload these separately to another directory on the server or is there an existing path (that plesk always uses to store these)?

Plesk stores the uploaded/generated certificates at: "/usr/local/psa/var/certificates" / "/opt/psa/var/certificates"
You are able to use your OWN paths, for manual uploads.. it is YOUR choice!

Secondly, where is the main.cf file held to edit this? Do I need to edit BOTH main.cf and master.cf for this to work correctly?

For postfix, the configuration files are located at "/etc/postfix/*".

Plesk for Linux services logs and configuration files ( KB - article: 111 283 )​

Lastly, is this for SSL or TLS as I saw this in the code. It's SSL I was after.

Basically, you should know, that TLS fairly equals SSL - it depends on your defined ciphers lists, which protocols are used. Pls. use for example Google, to search for answers to your question: => http://lmgtfy.com/?q="TLS"+"SSL"+"difference"

 

[Shiney]

Thanks UFHH01

According to some people it actually seems that TLS has overtaken SSL after several breaches in SSL - thanks for that.
I'm going to give your suggestion and whirl. Sorry, one last thing, do I need to do both main AND master.cf files or willl just main.cf be acceptable?

Thanks again.

 

[UFHH01]

Hi Shiney,

try to read my suggestions more precisely.

Sorry, one last thing, do I need to do both main AND master.cf files or willl just main.cf be acceptable?

Answer already given:

You have the choice to define these ( standard!! ) certificate - files in your "main.cf"

... while you can define other certificates in your "master.cf", as for example:

 

[Shiney]

Ok sorry.

 

[Shiney]

Added details as described to the master.cf and mail stopped working after a restart of postfix service.
I'll try googling to find a step by step simple guide as clearly I am unable to follow your kind help.

Thanks again.

 

[Shiney]

You have the choice to define these ( standard!! ) certificate - files in your "main.cf"

so I add my new certificate to this as well as the existing one. I need BOTH certificates as the SSL only covers one domain of the 30 I host.
IE
smtpd_tls_CAfile=/PATH/TO/YOUR/ORIGINAL_DEFAULT_FILE
smtpd_tls_key_file=/PATH/TO/YOUR/ORIGINAL_DEFAULT_FILE
smtpd_tls_cert_file=/PATH/TO/YOUR/ORIGINAL_DEFAULT_FILE

and add this
smtpd_tls_CAfile=/PATH/TO/YOUR/NEW_SSLDOMAIN_FILE
smtpd_tls_key_file=/PATH/TO/YOUR/NEW_SSLDOMAIN_FILE
smtpd_tls_cert_file=/PATH/TO/YOUR/NEW_SSLDOMAIN_FILE

then add in the master.cf file:

XXX.XXX.XXX.XXX:smtp inet n - - - - smtpd
-o smtpd_tls_key_file=/PATH/TO/YOUR/NEW_SSLDOMAIN_FILE
-o smtpd_tls_cert_file=/PATH/TO/YOUR/NEW_SSLDOMAIN_FILE
...
Code:
XXX.XXX.XXX.XXX:smtps inet n - - - - smtpd
-o smtpd_tls_key_file=/PATH/TO/YOUR/NEW_SSLDOMAIN_FILE
-o smtpd_tls_cert_file=/PATH/TO/YOUR/NEW_SSLDOMAIN_FILE
...
Code:
XXX.XXX.XXX.XXX:submission inet n - - - - smtpd
-o smtpd_tls_key_file=/PATH/TO/YOUR/NEW_SSLDOMAIN_FILE
-o smtpd_tls_cert_file=/PATH/TO/YOUR/NEW_SSLDOMAIN_FILE
...
Code:
plesk-YOUR-DOMAIN.COM-XXX.XXX.XXX.XXX- unix - n n - - smtp
-o smtpd_tls_key_file=/PATH/TO/YOUR/NEW_SSLDOMAIN_FILE
-o smtpd_tls_cert_file=/PATH/TO/YOUR/NEW_SSLDOMAIN_FILE


I ask this because at the end you state

"If you don't define another certificate in your "main.cf" for a IP/domain, the defined standard from the "main.cf" is used."

That means if i dont add NEW_SSLDOMAIN_FILE to the main.cf file as well as the default, the default will be used.


**UPDATE**
I added the code to the master.cf, postfix reload and got a fatal error. Replaced new master.cf with original, postfix reload all working again.
So I tried:
I added the code to the main.cf file then postfix reload and mydomain1.co.uk passes but mydomain2.co.uk (same IP) tries also to use this and fails validation for obvious reason (domain mismatch).
So, I added the code to the master.cf (changed IP as instructed) postfix reload but get the fatal error that it cannot start. TRied postfix start, still fatal error.
Replace new master.cf with original file and still fatal error. Replace new main.cf with original and all working again but back to square 1.

 

[UFHH01]

Hi Shiney,

my examples just show the certificate path, while you certainly need way more in your "main.cf" and your "master.cf", that's why I shortened the depending codes with "..." at the end and called them EXAMPLES as well. You can't just "copy&paste" my suggestions and put it inside your configuration files, because this will not work. Normally, the forum users adapt the suggestions and transfer them into their excistent configuration files, where they should work as expected. Unfortunately, you don't provide your "main.cf" and "main.cf" here in the thread, so that it wasn't possible to provide suggestions, being unique and more precise to your recent modification(s) and compatible to your existing configuration(s). Consider to add the needed configuration files, if you would like to get suggestions, which you can use with "copy&paste".


If you would like people willing to help you to investigate your issue, as for example:

I added the code to the master.cf, postfix reload and got a fatal error.

You will see an error message, either on the command line and/or in the depending mail - logs. Consider to POST such error(s), because we are only able to resolve issue, when we know the cause of your issue.

 

[Shiney]

Thanks UFHH01

I did manage to adapt the main.cf to my particular file format (used the .pem file for the domain rather than individual certs) which is why I guess it worked however there wasn't already a record in the master.cf and made the mistake of copying and pasting which I assume is why the error occured. Attached are main and master cf files as txt files as cf would not upload.

Basically what I would like to happen is that mail.domain-with-ssl.com uses the SSL certificate to send the email from 587 and TLS encrytion and that mail.domains-without-ssl.com (I have about 30 on one shared IP) use the default Parallels self signed cert on port 25 no encryption.
The idea is that in the future I would also like to add mail.domain2-with-ssl.com and mail.domain3-with-ssl.com for various clients rather than pay for a SSL to cover the entire VPS which is too costly.

Thanks.

Incidentally, I was told by the support team at my hosting for the VPS that I could add/append certificates to the postfix_default.pem file but I haven't done anything with that as you mentioned this was not possible.

 

[UFHH01]

Hi Shiney,

pls. be noted about the current line in your "master.cf"

plesk_saslauthd unix y y n - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.dbxxx.xx.xx.xxx- unix - n n - - smtp -o smtp_bind_address=xxx.xx.xx.xx -o smtp_bind_address6= -o smtp_address_preference=ipv4

... which is misconfigured. As you can see, "passwd.dbxxx.xx.xx.xxx-" is incorrect.
To avoid such misconfigurations, consider to modify your "master.cf" as FOR EXAMPLE ( pls. note, that "..." is a PLACEHOLDER and should be replaced with the specific, unique, additional modifications, that you define for the specific port ):

...
plesk_saslauthd        unix    y    y    y    -    1    plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db

# ================================================================================
# Special configurations to fit SMTP banner and certificates - port 25
# ================================================================================
localhost:smtp inet n - - - - smtpd
    -o smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
    -o smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE
...
  
XXX.XXX.XXX.XXX:smtp inet n - - - - smtpd
    -o smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
    -o smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE
...

# ================================================================================
# Special configurations to fit SMTP banner and certificates - port 465
# ================================================================================
localhost:smtps   inet n - - - - smtpd
    -o smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
    -o smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE
...
  
XXX.XXX.XXX.XXX:smtps   inet n - - - - smtpd
    -o smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
    -o smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE
...

# ================================================================================
# Special configurations to fit SMTP banner and certificates - port 587
# ================================================================================
localhost:submission inet n - - - - smtpd
    -o smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
    -o smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE
...

XXX.XXX.XXX.XXX:submission inet n - - - - smtpd
    -o smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
    -o smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE
...

# ================================================================================
# Special configurations to fit SMTP banner and certificates - Plesk-modified
# ================================================================================
plesk-YOUR-DOMAIN-A.COM-XXX.XXX.XXX.XXX- unix - n n - - smtp
    -o smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
    -o smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE
...

plesk-YOUR-DOMAIN-B.COM-XXX.XXX.XXX.XXX- unix - n n - - smtp
    -o smtpd_tls_key_file=/PATH/TO/YOUR/KEY-FILE
    -o smtpd_tls_cert_file=/PATH/TO/YOUR/CERT-FILE
...

TIP:
Before you modify the basic configuration, to fit your domain - names and IPs, consider as well to FIRST change the standard mail - server - settings at: "Home > Tools & Settings > Mail server settings"

( if these options are not present with your Plesk version, consider to upgrade to the most recent Plesk version! )​

and then make a backup of the standart, working configuration files! You are then able to adapt the above, additional suggestions far easier to your current configuration files and you are always able to restore your basic postfix configuration in case of issues/errors/problems/misconfigurations to reduce the downtime to a minimum. You will notice, that the suggested modfications will make it as well far easier to find possible misconfiguration(s).

 

[Shiney]

Morning UFHH01

I am currently on version 11.5 and at the moment am vary of upgrading to issues with plesk in the past not upgrading correctly. I have tried your suggestions for the 'master.cf' file and sadly once again postfix fails to start with the error:
"postfix/postfix-script: fatal: the Postfix mail system is not running"

I tried these carefully one at a time (as I believe postfix does not allow to many changes at once) but postfix fails everytime. As soon as I re-load the original file all is good.
Basically, any change seems to cause an issue or corruption.
PS I put the xxx over my IP address in the file.

Any further suggestions that my stunted intelligence might try?

Thank you.

 

[UFHH01]

Hi Shiney,

pls. post the "master.cf" AFTER you changed it to your own, unique configuration file, so that people willing to help you may investigate possible issues and point you to possible misconfigurations ( the same for your "main.cf", if you experience issues, AFTER changing it ).

 

[Shiney]

I havent changed the main.cf since I put it back to reading the default and prior to trying this. I meant to attach master.cf file, this is now attached.

I've only add the area where I have changed. The rest of the file is unchanged

 

[UFHH01]

Hi Shiney,

you made the very same mistake, by just performing "copy&paste" according to the suggestions, instead of ADAPTING the suggestions to your configuration file => "master.cf".

First, you have:

123.45.67.89- unix - n n - - smtp -o smtp_bind_address=123.45.67.89 -o smtp_bind_address6= -o smtp_address_preference=ipv4

... and at the very end, you have again:

smtp      inet  n       -       n       -       -       smtpd
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

... which is first of all a DOUBLE entry, when you use the additional suggestions, which overwrite your previous modifications ( it they are valid postfix configurations! )


Pls. have a look again at the suggestions ( I just pick up ONE now, to point you directly to your issue! ):

You added:

# ================================================================================
# Special configurations to fit SMTP banner and certificates - port 587
# ================================================================================

localhost:submission inet n - - - - smtpd
    -o smtpd_tls_key_file=/domain/ssl/certs/domainname.key
    -o smtpd_tls_cert_file=/domain/ssl/certs/domainname.pem

123.45.67.89:submission inet n - - - - smtpd
    -o smtpd_tls_key_file=/domain/ssl/certs/domainname.key
    -o smtpd_tls_cert_file=/domain/ssl/certs/domainname.pem

... but at the end, you overwrite your modification with:

submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

I will now re-organize the "submission" part for you, so that you are able to see the actual MISSING parts at your modifications as well:

submission inet n - n - - smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

Pls. be aware, that if you leave out option - strings in your modification(s), then the standards, defined in your "main.cf" are used!!! Pls. be as well aware of the fact, that IF you add additional, unique modifications, you have to eliminate standart, basic configuration options, which may follow AFTERWARDS. The hint here is "first come = first serve" and "previous modifications are overwritten by later ones" ... but if your modifications are misconfigured, postfix can't start, even that later configurations might be correct.



The correct configuration of your actual, additional submission - part would look like this:

# ================================================================================
# Special configurations to fit SMTP banner and certificates - port 587
# ================================================================================

localhost:submission inet n - - - - smtpd
    -o smtpd_tls_key_file=/domain/ssl/certs/domainname.key
    -o smtpd_tls_cert_file=/domain/ssl/certs/domainname.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

123.45.67.89:submission inet n - - - - smtpd
    -o smtpd_tls_key_file=/domain/ssl/certs/domainname.key
    -o smtpd_tls_cert_file=/domain/ssl/certs/domainname.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

... while you would comment the original submission - part at the end with a "#" in front, to tell postfix to ignore it:

#submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

 

[Shiney]

The first two are in the original file were original so I had left them not knowing they would overwrite the work you have already suggested. This is my first time delving into these files and I am trying to learn as well as not disrupt the originals too much.

I will continue to endeavour to get this right. Thanks for your continued help

 

[Shiney]

Ok this is all in the 'master.cf' file. Main.cf file is untouched

I added:
# ================================================================================
# Special configurations to fit SMTP banner and certificates - port 587
# ================================================================================

localhost:submission inet n - - - - smtpd
-o smtpd_tls_key_file=/domain/ssl/certs/domainname.key
-o smtpd_tls_cert_file=/domain/ssl/certs/domainname.pem
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

123.45.67.89:submission inet n - - - - smtpd
-o smtpd_tls_key_file=/domain/ssl/certs/domainname.key
-o smtpd_tls_cert_file=/domain/ssl/certs/domainname.pem
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

commented out:

#submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

Then postfix reload and fatal error.

SO I then changed

plesk_saslauthd unix y y n - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db

TO READ:

plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db

Postfix reload and Postfix restarted but failed to read the new SSL. Only the default again

SO I then added:

# ================================================================================
# Special configurations to fit SMTP banner and certificates - Plesk-modified
# ================================================================================

plesk-domainname.co.uk-123.45.67.89- unix - n n - - smtp
-o smtpd_tls_key_file=/domain/ssl/certs/domainname.key
-o smtpd_tls_cert_file=/domain/ssl/certs/domainname.pem
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

and again postfix reload and again Postfix fatal error

I'm convinced by now that I do not have the ability to do this correctly OR more to the point, to figure out where I am going wrong.

Thank you for all you help and trying on this.