I suggest you ...

Use "Let's encrypt" to secure IMAP/POP/SMTP connections

Use "Let's encrypt" to secure IMAP/POP/SMTP connections to avoid "non valid certificate" messages with self signed certs.

238 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Pol shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    34 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Redis commented  ·   ·  Flag as inappropriate

        Actually this is possible by commandline. I would suggest for plesk developers to set an option like that of "Secure plesk panel" with the ability to let the admin chose at plesk installation, or in settings in the following way:
        1) I setup my server that is named mainserver.domain.tld
        2) Plesk asks me to secure the panel, I select the checkbox, letsencrypt will generate a certificate for mainserver.domain.tld
        3) Plesk asks me which subdomain should use for the mail subscriptions: I input MAILSUBDOMAIN as a name or whatever I like
        4) Plesk uses letsencrypt with option --expand to expand certificate for mainserver.domain.tld to include mailsubdomain.domain.tld
        5) Everytime I create a new domain in plesk, plesk will automatically expand the existing certificate for mainserver.domain.tld and mailsubdomain.domain.tld adding mailsubdomain.domain2.tld mailsubdomain.domain3.tld etc up to 100 domains that it's the letsencrypt domain limitation(If I'm not mistaken)
        6) Plesk assigns this ssl to the plesk panel and mail server automatically every time it is renewed and keeps in database the list of existing domains, so it gets renewed with all the mailname.*.tld

        This way you have a standard that is used for mail service, and doesn't abuse letsencrypt.
        All the domains mailsubdomain.*.tld will be virtual and redirected to one single directory for letsencrypt acme challenge. If someone opens mailsubdomain.domain.tld in the browser, it gets redirected to webmail(sort of alias)
        All the rest of the domains remain like it is now.

        That is my suggestion of how I think it would be the easiest way to implement, without too much hassle.

      • Joey den Hollander commented  ·   ·  Flag as inappropriate

        Back to using C-panel. It's not feasible this way. My customers are not tech savvy enough to change their mail settings from mail.domain.tld to another domain because Plesk is still lacking this feature.

      • Portable Page commented  ·   ·  Flag as inappropriate

        +1, most mail applications fill in mail.domain.com automatically when users provide their email-address. Because Plesk doesn't have an autodiscover feature either, it's confusing for many (not so tech-savvy) clients.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Yes please add this feature! C-Panel has it already. I have been trialing Plesk for a few weeks now, however without this feature I don't think I can migrate over from C-Panel which is frustrating as I like the Wordpress features in Plesk.

      • H50K commented  ·   ·  Flag as inappropriate

        You could at least do it for dedicated ip's that an subscription hast it's own hostname answering with the right cert. on SMTP '/ IMAP/POP.

        This should be possible by setting up postfix (master.cnf) like

        ::1:smtp inet n - - - - smtpd
        127.0.0.1:smtp inet n - - - - smtpd
        1.1.1.2:smtp inet n - - - - smtpd -o smtp_helo_name=domain2.tld -o myhostname=domain2.tld -o smtpd_tls_key_file= /usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/fullchain.pem
        1.1.1.1:smtp inet n - - - - smtpd -o smtp_helo_name=privat.tld -o myhostname=privat.tld -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/fullchain.pem
        2a03:4000:x:y::1:smtp inet n - - - - smtpd -o smtp_helo_name=privat.tld -o myhostname=privat.tld -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/fullchain.pem
        2a03:4000:x:y::2:smtp inet n - - - - smtpd -o smtp_helo_name=domain2.tld -o myhostname=domain2.tld -o ssmtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/fullchain.pem

        (as seen on https://www.mingblock.de/2018/04/plesk-onyx-und-der-mailserver/ -thx to Redhell)

        due to DNS flexibility you should coincider geneating an cert for the record mail.DOMAIN.TLD

        That way we have more flexibillity!

      • Michael commented  ·   ·  Flag as inappropriate

        @Daniel Hahn... I think this is not what the admins here are looking for. We are hoping for a multi certificate support. We want to give IMAP/POP/SMTP server names to our customers like e.g.:

        mail.customer1.com
        mail.customer2.com
        mail.customer3.com

        But this is not possible at the moment. We always have to give the Plesk server name to them, e.g.

        my.ugly-isp-name-for-this-plesk-server.com

        We also have the same problem for the Plesk backend login right now (but this is a different thread):

        https://my.ugly-isp-name-for-this-plesk-server.com:8443/

        I can say a lot of my customers need some extra attention because of this unsolved problem (not even talking about resellers).

        And when my customers are moving to a new Plesk server we have a lot of work to change all client-side settings (mail software, ...).

      • Michael commented  ·   ·  Flag as inappropriate

        @Daniel Hahn... Can you explain more in detail about your "single cron job" that solves that problem for you using Postfix MTA in Plesk? I think also the other admins would love to hear about that solution.

      • Sergio commented  ·   ·  Flag as inappropriate

        ensure mail with certificate would have to be resolved by Plesk either with Lets Encrypt or with any other provider from the Panel itself as users claim for years and automate mail autoresponders for the start and end , and be able to send backup copies to Google Drive, Onedrive in an easy way, although I believe that the latter has already been implemented.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Everyone would benefit greatly from it even if they don't know because it looks much more professional towards all your customers. I am absolutely surprised that this feature does not exist already and my only dissapointment for plesk so far

      • G J Piper commented  ·   ·  Flag as inappropriate

        While this would be a great feature, my understanding is that postfix is incapable of serving certs on multiple hosted domains. Admin: is this incorrect? Would the implementation of this require a migration from postfix to something else?

      • Bruno commented  ·   ·  Flag as inappropriate

        No fraud attempt, this is the real deal and most of our clients are asking.

      ← Previous 1

      Feedback and Knowledge Base