Use certificate for services (SMTP/IMAP) as well

[jbacker]

It would be great if the auto-generated certificates automatically can be used for Postfix/Dovecot (or others, if that's chosen) connections as well.

(Or I am missing something and that is already the case).

Also, when using the "Use this certificate to secure connections to Plesk" option, it doesn't show up in the global certificate overview (Tools & Settings -> SSL certificates).

[DavidAkroyd]

This is related to #19

[jbacker]

Hmm, even when the same hostname is being used for all these? As I'd imagine copying over the certificates to the correct places (or alter the config to point to the right ones) and reloading the service when the new certificate is generated should do it.

[DavidAkroyd]

Sorry Jbacker, I was just commenting that it was related - not that it was required. Some of the mailservers uses one certificate for the per IP address which is fine if you have one hostname per IP, but otherwise it will require a SAN for multiple hostnames.

And yes, the Plesk certificate does not appear in that list, mainly because the a) certificate is replaced every 30 days, b) they are stored in separate directories - one is the Lets Encrypt directory, one is the Plesk store, hence why no Let's Encrypt certificates appear on that page. I don't know whether this will be implemented to combine the two until Let's Encrypt is at least out of beta

[jbacker]

Ah. :) I get your point. Those SANs would come in quite handy though - Especially when multiple subdomains run on the same server (you run the 'risk' of running the max issue/week cap, but I'd imagine that would not happen very often).

[Gizmo0815]

It would be great if the auto-generated certificates automatically can be used for Postfix/Dovecot (or others, if that's chosen) connections as well.

That would be really great

[AmaZili]

+1 Definitly needed a solution for tls on smtp/pop/imap on plesk

Having one certificate per IP is ok for us. certificate must support mutiple subdomains like pop, smtp,imap,map, webmail, whatever.domain.tld

[xgin]

I have added some notes: https://github.com/plesk/letsencrypt-plesk/wiki/Secure-Mail-Server

[rkage]

default permissions on "/usr/local/psa/var/modules/letsencrypt/etc/live" and "/usr/local/psa/var/modules/letsencrypt/etc/archive" will prevent reading these files as reported by the postfix logfile. I'm hesitant to suggest loosening the permissions from 700 to 755, as I don't know the full implications of doing so.

postfix/smtpd: warning: cannot get RSA certificate from file /usr/local/psa/var/modules/letsencrypt/etc/live//fullchain.pem: disabling TLS support postfix/smtpd: warning: TLS library problem: 14776:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/usr/local/psa/var/modules/letsencrypt/etc/live//fullchain.pem','r'):

SELinux also appears to get in the way.

[yanosz]

For dovecot (imap / pop3) SNI is there. For doing so, letsencrypt-plesk can maintine a file or files such as /etc/dovecot/conf.d/92-letsencrypt-plesk-ssl.conf

local_name imap.domain1.td {
  ssl_cert = </path_to/imap.domain1.td_crt.pem
  ssl_key = </path_to/imap.domain1.td_key.pem
}

See: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921

[Powie]

You can also use this script:

https://github.com/Powie/plesk_mailcert

[Hativ]

+1

[jult]

@Powie but that script doesn't add the imap smtp pop pop3 mail email webmail subdomains to the cert, which is sort of the problem.

[HardieBoeve]

When creating an certificate now there's only the option for www, wouldn't it be more useful to provide also the options for common names as mail.domain.tld, ftp.domain.tld and so on and update the appropriate config files?

[mtvw]

+1

[bitfabrikken]

+1

[mpscy]

+1

[E-VANCE]

+1

[sgalam]

+1

[grimmcreative]

+1

[ankn99]

+1

[MattIPv4]

+1

[ottosax]

+1

[ottosax]

And a question - what will be the beste way to secure mail on a server with plesk but more than one domain connected? Here: https://github.com/plesk/letsencrypt-plesk/wiki/Secure-Mail-Server he speak from example.org and that I have to replace with my domain - so I will have to do that several times vor every single domain or vor only one or what? Can anybody clearify that, please.

But out of this - its more as time, over one year later, that we can use Let'sEncrypt also for subdomains and mail servers a similar easy way as for master domains with and without www. now. :)

[patbegg]

+1

[freezy23]

+1

[ghost]

The problem with Postfix is that it does not support SNI and probably would never will. Vietse Venema argues about the need for having the resolved IP address of a mail server pointing to a matching PTR record. So you will just have exactly as much certificates as you have corresponding IP addresses.

A solution could be having a SNI supporting proxy for the SMTP submission port so you can separate the MX traffic from the mail relay traffic (initiated by an user).

[ripkens]

You can use Plesk Mail Lets Encrypt It does everything automatically for you, including renewals

[MattIPv4]

@ripkens I'm on a Windows system

[abien]

A solution could be having a SNI supporting proxy for the SMTP submission port so you can separate the MX traffic from the mail relay traffic (initiated by an user).

Or just implement an MTA that supports SNI (Exim). There is a chance to vote for it at UserVoice

[ripkens]

On a windows System:

• create a subscription with your Hostname
• disable all DNS features
• create a mail.domain.tld for ALL customers in the hostname subscription
• make that hostname subscription default for your ip
• create the certificate with letsencrypt
• enable it in MailEnable localhost settings
• use stunnel to secure port 465 with that certificate and redirect it to port 25

It works for me that way