I suggest you ...

Use "Let's encrypt" to secure IMAP/POP/SMTP connections

Use "Let's encrypt" to secure IMAP/POP/SMTP connections to avoid "non valid certificate" messages with self signed certs.

355 votes
Sign in
(thinking…)
Password icon
Signed in as (Sign out)

We’ll send you updates on this idea

Pol shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

42 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Jochen commented  ·   ·  Flag as inappropriate

    NetVicious: You didn´get the problem. The aim is to secure every customer´s own mailserver name
    mail.customer1.com
    mail.customer2.com
    mail.customer3.com ...

    it's not about subdomains ... it's about domains!

    It's about this scenario (now with wildcard certs ...)
    *.customer1.com
    *.customer2.org
    *.customer3.net

  • Anonymous commented  ·   ·  Flag as inappropriate

    @alexander postfix SNI has already been added so they can easily implement it. That information is old.

  • Alexander Blinne commented  ·   ·  Flag as inappropriate

    @TRILOS new media: Yeah, this has been discussed in the comments but not in the original feature request. My approach solves the original feature request. But I agree that the more advanced solution to secure mail with all the different domain names would be nice. This would also require implementation of SNI for postfix, which is not there yet: https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/32132116-it-would-be-nice-to-provide-mail-ssl-tls-support-w

  • TRILOS new media commented  ·   ·  Flag as inappropriate

    @Alexander Blinne: You didn´get the problem. The aim is to secure every customer´s own mailserver name
    mail.customer1.com
    mail.customer2.com
    mail.customer3.com ...

  • Alexander Blinne commented  ·   ·  Flag as inappropriate

    I do it like this:
    1) Secure the plesk panel with Let's encrypt
    2) Chose the same certificate for securing mail
    3) Refer to the mail server by the same hostname as I use for the Plesk panel
    And everything works fine.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Yes, we need this so each customer can input their own plesk hosted domain name in their email client (eg smtp.customerdomain.com) and securely connect to the Plesk mail server. This will help in many ways especially if we have to ever move a customer to another plesk server, the email can continue to work as their using their own domain name instead of the hosting provider plesk server (eg server104.hoster.com)

  • Redis commented  ·   ·  Flag as inappropriate

    Actually this is possible by commandline. I would suggest for plesk developers to set an option like that of "Secure plesk panel" with the ability to let the admin chose at plesk installation, or in settings in the following way:
    1) I setup my server that is named mainserver.domain.tld
    2) Plesk asks me to secure the panel, I select the checkbox, letsencrypt will generate a certificate for mainserver.domain.tld
    3) Plesk asks me which subdomain should use for the mail subscriptions: I input MAILSUBDOMAIN as a name or whatever I like
    4) Plesk uses letsencrypt with option --expand to expand certificate for mainserver.domain.tld to include mailsubdomain.domain.tld
    5) Everytime I create a new domain in plesk, plesk will automatically expand the existing certificate for mainserver.domain.tld and mailsubdomain.domain.tld adding mailsubdomain.domain2.tld mailsubdomain.domain3.tld etc up to 100 domains that it's the letsencrypt domain limitation(If I'm not mistaken)
    6) Plesk assigns this ssl to the plesk panel and mail server automatically every time it is renewed and keeps in database the list of existing domains, so it gets renewed with all the mailname.*.tld

    This way you have a standard that is used for mail service, and doesn't abuse letsencrypt.
    All the domains mailsubdomain.*.tld will be virtual and redirected to one single directory for letsencrypt acme challenge. If someone opens mailsubdomain.domain.tld in the browser, it gets redirected to webmail(sort of alias)
    All the rest of the domains remain like it is now.

    That is my suggestion of how I think it would be the easiest way to implement, without too much hassle.

  • Joey den Hollander commented  ·   ·  Flag as inappropriate

    Back to using C-panel. It's not feasible this way. My customers are not tech savvy enough to change their mail settings from mail.domain.tld to another domain because Plesk is still lacking this feature.

  • Portable Page commented  ·   ·  Flag as inappropriate

    +1, most mail applications fill in mail.domain.com automatically when users provide their email-address. Because Plesk doesn't have an autodiscover feature either, it's confusing for many (not so tech-savvy) clients.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Yes please add this feature! C-Panel has it already. I have been trialing Plesk for a few weeks now, however without this feature I don't think I can migrate over from C-Panel which is frustrating as I like the Wordpress features in Plesk.

  • H50K commented  ·   ·  Flag as inappropriate

    You could at least do it for dedicated ip's that an subscription hast it's own hostname answering with the right cert. on SMTP '/ IMAP/POP.

    This should be possible by setting up postfix (master.cnf) like

    ::1:smtp inet n - - - - smtpd
    127.0.0.1:smtp inet n - - - - smtpd
    1.1.1.2:smtp inet n - - - - smtpd -o smtp_helo_name=domain2.tld -o myhostname=domain2.tld -o smtpd_tls_key_file= /usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/fullchain.pem
    1.1.1.1:smtp inet n - - - - smtpd -o smtp_helo_name=privat.tld -o myhostname=privat.tld -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/fullchain.pem
    2a03:4000:x:y::1:smtp inet n - - - - smtpd -o smtp_helo_name=privat.tld -o myhostname=privat.tld -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/fullchain.pem
    2a03:4000:x:y::2:smtp inet n - - - - smtpd -o smtp_helo_name=domain2.tld -o myhostname=domain2.tld -o ssmtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/fullchain.pem

    (as seen on https://www.mingblock.de/2018/04/plesk-onyx-und-der-mailserver/ -thx to Redhell)

    due to DNS flexibility you should coincider geneating an cert for the record mail.DOMAIN.TLD

    That way we have more flexibillity!

  • Michael commented  ·   ·  Flag as inappropriate

    @Daniel Hahn... I think this is not what the admins here are looking for. We are hoping for a multi certificate support. We want to give IMAP/POP/SMTP server names to our customers like e.g.:

    mail.customer1.com
    mail.customer2.com
    mail.customer3.com

    But this is not possible at the moment. We always have to give the Plesk server name to them, e.g.

    my.ugly-isp-name-for-this-plesk-server.com

    We also have the same problem for the Plesk backend login right now (but this is a different thread):

    https://my.ugly-isp-name-for-this-plesk-server.com:8443/

    I can say a lot of my customers need some extra attention because of this unsolved problem (not even talking about resellers).

    And when my customers are moving to a new Plesk server we have a lot of work to change all client-side settings (mail software, ...).

  • Michael commented  ·   ·  Flag as inappropriate

    @Daniel Hahn... Can you explain more in detail about your "single cron job" that solves that problem for you using Postfix MTA in Plesk? I think also the other admins would love to hear about that solution.

← Previous 1 3

Feedback and Knowledge Base