• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Problem with SSL LE (mail settings)

O

onelife9

New Pleskian
Hi. I have a problem with LetsEncrypt certificates for each domain (only for mail). This works fine for sites. For mail, it gets the server's root certificate instead of the domain. Why?

Example:

openssl s_client -showcerts -servername bezglutenowyhert.pl -connect bezglutenowyhert.pl:465



This is my settings. It looks correct.


Zrzut ekranu 2020-11-30 o 12.28.47.pngZrzut ekranu 2020-11-30 o 12.29.09.png
 
The "SSL/TLS certificate for mail" setting is useless without a wildcard certificate, it just doesn't work as you would expect.
If you install the wildcard certificate, it works.
 
Would you not only need a wildcard if you do not address the server by the domain name, but an prefixed domain like smpt.<domain> or imap.<domain> etc.? Else it should be o.k. if you simply enter the domain name as server name.
 
Hey, I still have a problem. I have a Wildcard LE certificate.

SSL Checker

Use our fast SSL Checker will help you troubleshoot common SSL Certificate installation problems on your server including verifying that the correct certificate is installed, valid, and properly trusted.
www.sslshopper.com www.sslshopper.com


I use main domain or mail.*, but still displays the server's root certificate, not the domain.

I know I can use the main domain of the server, but I care about the address per domain.

openssl s_client -showcerts -servername bezglutenowyhert.pl -connect bezglutenowyhert.pl:465


CONNECTED(00000005)


depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3


verify return:1


depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3


verify return:1


depth=0 CN = vps800343.ovh.net


verify return:1


---


Certificate chain


0 s:/CN=vps800343.ovh.net


i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3





or mail.*



openssl s_client -showcerts -servername mail.bezglutenowyhert.pl -connect mail.bezglutenowyhert.pl:465


CONNECTED(00000005)


depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3


verify return:1


depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3


verify return:1


depth=0 CN = vps800343.ovh.net


verify return:1


---


Certificate chain


0 s:/CN=vps800343.ovh.net


i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Click to expand...
 
You're trying to connect to the SMTP server, but the SMTP server will be protected by default by the host certificate. Try
openssl s_client -showcerts -servername bezglutenowyhert.pl -connect bezglutenowyhert.pl:993
instead.

Please also try this from your own server:
echo 'Q' | openssl s_client -connect bezglutenowyhert.pl:465 -servername bezglutenowyhert.pl -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq

and make sure that the certificate that was issued for your domain is set as the mail certificate of that domain.
 
ok, i try openssl with 993 and it's fine.

openssl s_client -showcerts -servername bezglutenowyhert.pl -connect bezglutenowyhert.pl:993


CONNECTED(00000005)


depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3


verify return:1


depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3


verify return:1


depth=0 CN = bezglutenowyhert.pl


verify return:1


---


Certificate chain


0 s:/CN=bezglutenowyhert.pl






but from my server with 465:


CN=vps800343.ovh.net


CN=Let's Encrypt Authority X3


CN=DST Root CA X3


CN=vps800343.ovh.net


CN=Let's Encrypt Authority X3
Click to expand...


for smtp will always be the root server certificate?

I have SNI turned on.
 
That's a good question. I thought that SMTP can also use the individual certificate. Never really tested it to the bone.

Further research brought up this article on a bug that seems to meet your situation:
support.plesk.com

Plesk Help Center

support.plesk.com support.plesk.com
Do you get any of the warning messages in /var/log/maillog described in that article?
 
unfortunately not... (debug enabled)

I have the current plesk version.

Product version: Plesk Obsidian 18.0.31.2
Build date: 2020/11/27 17:00
 
I'd guess that this case needs a support ticket with Plesk support, so that they can check the situation directly on your server.
support.plesk.com

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...
support.plesk.com support.plesk.com
If you have a license from a reseller, you could consider of using the free "test" for paid support.
 
You must log in or register to reply here.

Similar threads

C
Resolved Plesk mail SSL certificates invalid, common name problems (websites fine)
Replies
4
Views
690
Chucky_213123
C
Polli
Issue Mails only possible with a wildcard certificate
Replies
5
Views
622
Polli
Polli
QWeb Ric
Issue Server pool SSL not showing for selection
Replies
0
Views
409
QWeb Ric
QWeb Ric
V
Issue Plesk SSL certificate clear
Replies
1
Views
397
Sebahat.hadzhi
Sebahat.hadzhi
M
Issue Mail issue: Remote server returned '554 5.7.4 < # 5.7.4 SMTP; 554 5.7.4 failed to deliver message via SSL/TLS. >' -lost connection after STARTTLS from
Replies
1
Views
853
scsa20
scsa20
Back
Top