• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Resolved the SSL certificate for mailman

tkalfaoglu

Silver Pleskian
Server operating system version
Alma Linux
Plesk version and microupdate number
Obsidian
Hi.. assume domain.com is our default domain for the server. I generated some certificates for it with Lets Encrypt, and eventually created a wildcard certificate and *.domain.com is using it.
When I try to logon to https://lists.domain.com it gives a warning -- saying that the certificate is only for panel.domain.com and not for lists.domain.com - although as I mentioned, the domain.com is using a wildcard certificate right now..

I tried various things, including setting that certificate as default in the IP Addresses setting, and even creating a
/usr/local/psa/admin/conf/templates/custom/server/mailman.php file to specify a specific certificate:

SSLEngine on
SSLVerifyClient none
SSLCertificateFile "/usr/local/psa/var/certificates/scfoHoWU1"

... but this is ignored, even after PLESK REPAIR WEB domain.com .. When visiting https://lists.domain.com I still get a warning that the certificate is only for panel.domain.com

So, how can I fix the mailman https problem?
 
PS: The above SSLCertificateFile "/usr/local/psa/var/certificates/scfoHoWU1" is the wildcard certificate that Lets Encrypted created for *.domain.com -- I found it by grepping among the certificates in that directory
 
Btw, the custom template file seems to be ignored.
Also, trying to pick a certificate from the pull down list gives "there are 109 more items" blurb after a few items listed. So I cannot pick the correct certificate there.
 
The "there are 109 more items" problem happens in the:

Secure Mail Server​

Select a certificate for securing the mail server.

Select Certificate *

blurb.. it won't let me pick the wildcard certificate..
 
SOLVED the last item - picking the correct sertificate for SECURE MAIL SERVER prompt. apparently you can just write -- don't need the pull down list. I wrote and picked the correct wildcard cert.. but still the mailman problem continues.. bad certificate..
 
Yes, it seems that Apache/Nginx ignore the wildcard certificate for *.domain.com in case domain.com is part of a subscription and when I try to access lists.domain.com.
@IgorG any workaround here?
 
What keeps you from issueing it?
There isn't any component designation when you issue a wildcard LE certificate within Plesk. This needs to be setup by Plesk so that we can use that for the lists. If there is another way, I'm open to hear it.
 
✅ Solution: Mailman 2.x with valid SSL on its own subdomain under Plesk

Many Plesk users struggle with properly enabling SSL for Mailman 2.x – especially when accessing it via , which by default uses the server’s default SSL certificate (e.g., for hostname.tld). This becomes a real problem when HSTS is enabled, leading to redirect loops and browser warnings.

Here’s a clean and Plesk-compliant solution that allows you to run Mailman 2.x under HTTPS on its own subdomain using Let’s Encrypt.



Goal:

Make available over HTTPS with a valid certificate – without system-level hacks and staying fully within the Plesk UI.



✅ Step-by-step solution:

  1. Create a dedicated subdomain:
    Go to Domains > Add Subdomain
    Enter lists.domain.tld
    Enable web hosting
    Issue a Let’s Encrypt certificate for the subdomain
  2. Hosting settings (Plesk > Subdomain > Hosting Settings):

    Enable:

    ☑ SSL/TLS
    ☑ FastCGI
    ☑ CGI​
    SEO-friendly redirect (HTTP → HTTPS) → ☑ Enabled

    No application or redirect type needed

  3. Apache directives (Plesk > Apache & nginx Settings):

    Add the following in both HTTP and HTTPS sections:

    Code:
    SetEnv HTTPS on
    ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/

  4. nginx settings:

    Leave Proxy Mode ☑ Enabled

    Do not add any custom nginx directives

    Plesk will handle passing the request from nginx to Apache automatically

  5. Result:

    Mailman is now reachable under:

    Code:
    https://lists.domain.tld/mailman/listinfo

    → Valid Let’s Encrypt certificate
    → No redirect loops
    → Fully HSTS-compliant
    → No changes outside Plesk required



Why this works:

Without a dedicated subdomain, Plesk defaults to using the hostname’s certificate (e.g. drg.urbanhosting.de) for Mailman.
That breaks HTTPS when accessed via lists.domain.tld, especially with HSTS.
Creating the subdomain allows you to issue a proper cert and instruct Apache to serve Mailman correctly through the ScriptAlias.



Notes:

  • []This setup is intended for Mailman 2.1.x (CGI-based).
    [
    ]It does not apply to Mailman 3, which requires uwsgi and a WSGI-enabled environment.
  • If you want custom error pages, you can add:
    Code:
    ErrorDocument 404 /custom/404.html



This setup has now been running smoothly on our production environment.

Best regards,

Marian Feiler
 
Last edited by a moderator:
Back
Top