Use "Let's encrypt" to secure IMAP/POP/SMTP connections
Use "Let's encrypt" to secure IMAP/POP/SMTP connections to avoid "non valid certificate" messages with self signed certs.
As UserVoice staff cleaned up the most of twisted voices, I’ve returning this suggestion to open discussion.
Everyone, please continue voting for this feature if you consider it important.
Could someone please finally update the description of the original request here to reflect that this feature suggestion is really about adding the "let's encrypt" part to this one here: https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/32132116-it-would-be-nice-to-provide-mail-ssl-tls-support-w ?
NetVicious: You didn´get the problem. The aim is to secure every customer´s own mailserver name
it's not about subdomains ... it's about domains!
It's about this scenario (now with wildcard certs ...)
Don't loose time creating multiple certs for each subdomain. Let's Encrypt allows creating wildcards certificates (like *.example.com) from one year ago. Check next link:
@alexander postfix SNI has already been added so they can easily implement it. That information is old.
@TRILOS new media: Yeah, this has been discussed in the comments but not in the original feature request. My approach solves the original feature request. But I agree that the more advanced solution to secure mail with all the different domain names would be nice. This would also require implementation of SNI for postfix, which is not there yet: https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/32132116-it-would-be-nice-to-provide-mail-ssl-tls-support-w
TRILOS new media commented
@Alexander Blinne: You didn´get the problem. The aim is to secure every customer´s own mailserver name
I do it like this:
1) Secure the plesk panel with Let's encrypt
2) Chose the same certificate for securing mail
3) Refer to the mail server by the same hostname as I use for the Plesk panel
And everything works fine.
Yes, we need this so each customer can input their own plesk hosted domain name in their email client (eg smtp.customerdomain.com) and securely connect to the Plesk mail server. This will help in many ways especially if we have to ever move a customer to another plesk server, the email can continue to work as their using their own domain name instead of the hosting provider plesk server (eg server104.hoster.com)
Actually this is possible by commandline. I would suggest for plesk developers to set an option like that of "Secure plesk panel" with the ability to let the admin chose at plesk installation, or in settings in the following way:
1) I setup my server that is named mainserver.domain.tld
2) Plesk asks me to secure the panel, I select the checkbox, letsencrypt will generate a certificate for mainserver.domain.tld
3) Plesk asks me which subdomain should use for the mail subscriptions: I input MAILSUBDOMAIN as a name or whatever I like
4) Plesk uses letsencrypt with option --expand to expand certificate for mainserver.domain.tld to include mailsubdomain.domain.tld
5) Everytime I create a new domain in plesk, plesk will automatically expand the existing certificate for mainserver.domain.tld and mailsubdomain.domain.tld adding mailsubdomain.domain2.tld mailsubdomain.domain3.tld etc up to 100 domains that it's the letsencrypt domain limitation(If I'm not mistaken)
6) Plesk assigns this ssl to the plesk panel and mail server automatically every time it is renewed and keeps in database the list of existing domains, so it gets renewed with all the mailname.*.tld
This way you have a standard that is used for mail service, and doesn't abuse letsencrypt.
All the domains mailsubdomain.*.tld will be virtual and redirected to one single directory for letsencrypt acme challenge. If someone opens mailsubdomain.domain.tld in the browser, it gets redirected to webmail(sort of alias)
All the rest of the domains remain like it is now.
That is my suggestion of how I think it would be the easiest way to implement, without too much hassle.
Gaby Bowling commented
How is this essential feature still open discussion
Joey den Hollander commented
Back to using C-panel. It's not feasible this way. My customers are not tech savvy enough to change their mail settings from mail.domain.tld to another domain because Plesk is still lacking this feature.
Portable Page commented
+1, most mail applications fill in mail.domain.com automatically when users provide their email-address. Because Plesk doesn't have an autodiscover feature either, it's confusing for many (not so tech-savvy) clients.
Yes please add this feature! C-Panel has it already. I have been trialing Plesk for a few weeks now, however without this feature I don't think I can migrate over from C-Panel which is frustrating as I like the Wordpress features in Plesk.
You could at least do it for dedicated ip's that an subscription hast it's own hostname answering with the right cert. on SMTP '/ IMAP/POP.
This should be possible by setting up postfix (master.cnf) like
::1:smtp inet n - - - - smtpd
127.0.0.1:smtp inet n - - - - smtpd
188.8.131.52:smtp inet n - - - - smtpd -o smtp_helo_name=domain2.tld -o myhostname=domain2.tld -o smtpd_tls_key_file= /usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/fullchain.pem
184.108.40.206:smtp inet n - - - - smtpd -o smtp_helo_name=privat.tld -o myhostname=privat.tld -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/fullchain.pem
2a03:4000:x:y::1:smtp inet n - - - - smtpd -o smtp_helo_name=privat.tld -o myhostname=privat.tld -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/privat.tld/fullchain.pem
2a03:4000:x:y::2:smtp inet n - - - - smtpd -o smtp_helo_name=domain2.tld -o myhostname=domain2.tld -o ssmtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/privkey.pem -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/domaind2.tld/fullchain.pem
(as seen on https://www.mingblock.de/2018/04/plesk-onyx-und-der-mailserver/ -thx to Redhell)
due to DNS flexibility you should coincider geneating an cert for the record mail.DOMAIN.TLD
That way we have more flexibillity!
This feature is absolutely necessary. Please consider this as a priority.
iam also vote
@Daniel Hahn... I think this is not what the admins here are looking for. We are hoping for a multi certificate support. We want to give IMAP/POP/SMTP server names to our customers like e.g.:
But this is not possible at the moment. We always have to give the Plesk server name to them, e.g.
We also have the same problem for the Plesk backend login right now (but this is a different thread):
I can say a lot of my customers need some extra attention because of this unsolved problem (not even talking about resellers).
And when my customers are moving to a new Plesk server we have a lot of work to change all client-side settings (mail software, ...).
Daniel Hahn commented
@Michael Cron just called a script...
More you will find at: https://github.com/Powie/plesk_mailcert
@Daniel Hahn... Can you explain more in detail about your "single cron job" that solves that problem for you using Postfix MTA in Plesk? I think also the other admins would love to hear about that solution.