Use "Let's encrypt" to secure IMAP/POP/SMTP connections
Use "Let's encrypt" to secure IMAP/POP/SMTP connections to avoid "non valid certificate" messages with self signed certs.
As UserVoice staff cleaned up the most of twisted voices, I’ve returning this suggestion to open discussion.
Everyone, please continue voting for this feature if you consider it important.
Actually this is possible by commandline. I would suggest for plesk developers to set an option like that of "Secure plesk panel" with the ability to let the admin chose at plesk installation, or in settings in the following way:
1) I setup my server that is named mainserver.domain.tld
2) Plesk asks me to secure the panel, I select the checkbox, letsencrypt will generate a certificate for mainserver.domain.tld
3) Plesk asks me which subdomain should use for the mail subscriptions: I input MAILSUBDOMAIN as a name or whatever I like
4) Plesk uses letsencrypt with option --expand to expand certificate for mainserver.domain.tld to include mailsubdomain.domain.tld
5) Everytime I create a new domain in plesk, plesk will automatically expand the existing certificate for mainserver.domain.tld and mailsubdomain.domain.tld adding mailsubdomain.domain2.tld mailsubdomain.domain3.tld etc up to 100 domains that it's the letsencrypt domain limitation(If I'm not mistaken)
6) Plesk assigns this ssl to the plesk panel and mail server automatically every time it is renewed and keeps in database the list of existing domains, so it gets renewed with all the mailname.*.tld
This way you have a standard that is used for mail service, and doesn't abuse letsencrypt.
All the domains mailsubdomain.*.tld will be virtual and redirected to one single directory for letsencrypt acme challenge. If someone opens mailsubdomain.domain.tld in the browser, it gets redirected to webmail(sort of alias)
All the rest of the domains remain like it is now.
That is my suggestion of how I think it would be the easiest way to implement, without too much hassle.
Gaby Bowling commented
How is this essential feature still open discussion
Joey den Hollander commented
Back to using C-panel. It's not feasible this way. My customers are not tech savvy enough to change their mail settings from mail.domain.tld to another domain because Plesk is still lacking this feature.
Portable Page commented
+1, most mail applications fill in mail.domain.com automatically when users provide their email-address. Because Plesk doesn't have an autodiscover feature either, it's confusing for many (not so tech-savvy) clients.
Yes please add this feature! C-Panel has it already. I have been trialing Plesk for a few weeks now, however without this feature I don't think I can migrate over from C-Panel which is frustrating as I like the Wordpress features in Plesk.
You could at least do it for dedicated ip's that an subscription hast it's own hostname answering with the right cert. on SMTP '/ IMAP/POP.
This should be possible by setting up postfix (master.cnf) like
::1:smtp inet n - - - - smtpd
127.0.0.1:smtp inet n - - - - smtpd
18.104.22.168:smtp inet n - - - - smtpd -o smtp_helo_name=domain2.tld -o myhostname=domain2.tld -o smtpd_tls_key_file= /usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/fullchain.pem
22.214.171.124:smtp inet n - - - - smtpd -o smtp_helo_name=privat.tld -o myhostname=privat.tld -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/fullchain.pem
2a03:4000:x:y::1:smtp inet n - - - - smtpd -o smtp_helo_name=privat.tld -o myhostname=privat.tld -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/fullchain.pem
2a03:4000:x:y::2:smtp inet n - - - - smtpd -o smtp_helo_name=domain2.tld -o myhostname=domain2.tld -o ssmtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/fullchain.pem
(as seen on https://www.mingblock.de/2018/04/plesk-onyx-und-der-mailserver/ -thx to Redhell)
due to DNS flexibility you should coincider geneating an cert for the record mail.DOMAIN.TLD
That way we have more flexibillity!
This feature is absolutely necessary. Please consider this as a priority.
iam also vote
@Daniel Hahn... I think this is not what the admins here are looking for. We are hoping for a multi certificate support. We want to give IMAP/POP/SMTP server names to our customers like e.g.:
But this is not possible at the moment. We always have to give the Plesk server name to them, e.g.
We also have the same problem for the Plesk backend login right now (but this is a different thread):
I can say a lot of my customers need some extra attention because of this unsolved problem (not even talking about resellers).
And when my customers are moving to a new Plesk server we have a lot of work to change all client-side settings (mail software, ...).
Daniel Hahn commented
@Michael Cron just called a script...
More you will find at: https://github.com/Powie/plesk_mailcert
@Daniel Hahn... Can you explain more in detail about your "single cron job" that solves that problem for you using Postfix MTA in Plesk? I think also the other admins would love to hear about that solution.
Giancarlo Di Massa commented
There are no plans to implement SNI in the Postfix SMTP server. cfr. http://www.postfix.org/TLS_README.html
Daniel Hahn commented
would help me to remove one cron job ;-)
and should be state of the art
ensure mail with certificate would have to be resolved by Plesk either with Lets Encrypt or with any other provider from the Panel itself as users claim for years and automate mail autoresponders for the start and end , and be able to send backup copies to Google Drive, Onedrive in an easy way, although I believe that the latter has already been implemented.
AmaZili Communication commented
Definitly, definitly needed in 2018.
Middle age of unsecured comunications ended last year :-)
Everyone would benefit greatly from it even if they don't know because it looks much more professional towards all your customers. I am absolutely surprised that this feature does not exist already and my only dissapointment for plesk so far
Yes, it is a vital demand for plesk ! Thank you
G J Piper commented
While this would be a great feature, my understanding is that postfix is incapable of serving certs on multiple hosted domains. Admin: is this incorrect? Would the implementation of this require a migration from postfix to something else?
No fraud attempt, this is the real deal and most of our clients are asking.