Plesk – Secure SMTP / POP & IMAP connections with SSL

The default plesk SSL certificate uses self signed certificates by default that means your customers have to accept the untrusted certficate when setting up their email clients.

There is a very easy way to overcome this using shell & the “Let’s Encrypt” extension within Plesk.

First of all if you don’t already have an SSL certificate for your domain or mail domain, set one up using the “Let’s Encrypt” extension within Plesk. Alternatively purchase and install your SSL cert from any number of trusted sources. The Comodo EVL certs are a good choice, I’ve always found them the best value for money around.

Once you have your certificate installed for your domain, it is time to set it up for your mail connections, don’t forget that if your mail server is set to the sub domain of mail.yourdomain.com (most are by default) you will need to have that sub domain created and hosted within Plesk, the SSL certificate then needs applying to this sub domain. You don’t need a website on this domain, but it does need to be physically available so that we can apply our certificate to it.

Firstly, we need to replace the following files, these are the default SMTP, POP and IMAP certificated used within Plesk.

/etc/postfix/postfix_default.pem (600)
/usr/share/imapd.pem (400)
/usr/share/pop3d.pem (400)

Open a terminal and let’s make a back up of these three files before we go any further!

mv /etc/postfix/postfix_default.pem /etc/postfix/postfix_default.old
mv /usr/share/imapd.pem /usr/share/imapd.old
mv /usr/share/pop3d.pem /usr/share/pop3d.old

Now it’s time to add the information from your SSL certificate, you will get these details from the domains > your_domain > SSL Certificates section of the Plesk control panel. Click on the certificates name and scroll down the page to get the Private Key, Certificate and CA-Certificate information.

We now need to create a new file, we’ll start with the SMTP file

vi /etc/postfix/postfix_default.pem

And we now need to paste the private key, certificate and ca-certificate into this file

-----BEGIN PRIVATE KEY-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgN
VBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDEx
JHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwM
jE4MjI0NTA1WjA8MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1
c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NMIENBMIIBIjANBgkqhki
G9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0l6P7oeYLUF
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgN
VBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDEx
JHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwM
jE4MjI0NTA1WjA8MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1
c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NMIENBMIIBIjANBgkqhki
G9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0l6P7oeYLUF
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgN
VBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDEx
JHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwM
jE4MjI0NTA1WjA8MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1
c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NMIENBMIIBIjANBgkqhki
G9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0l6P7oeYLUF
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgN
VBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDEx
JHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwM
jE4MjI0NTA1WjA8MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1
c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NMIENBMIIBIjANBgkqhki
G9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0l6P7oeYLUF
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgN
VBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDEx
JHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwM
jE4MjI0NTA1WjA8MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1
c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NMIENBMIIBIjANBgkqhki
G9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0l6P7oeYLUF
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgN
VBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDEx
JHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwM
jE4MjI0NTA1WjA8MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1
c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NMIENBMIIBIjANBgkqhki
G9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0l6P7oeYLUF
-----END CERTIFICATE-----

This same file can be used for both IMAP and POP3 too, so lets create them.

cp /etc/postfix/postfix_default.pem /usr/share/imapd.pem
cp /etc/postfix/postfix_default.pem /usr/share/pop3d.pem

Now we need to give those files their original permissions (400)

chmod 400 /usr/share/imapd.pem
chmod 400 /usr/share/pop3d.pem

Finally, lets restart the mail service, the new certificates should now be installed and there should be no more warning messages for your email clients!

/usr/local/psa/admin/sbin/mailmng --restart-service

If you have created a self signed certificate then you may not have CA-Cert text / file, this will work without it but you may still get warnings within your email clients that the certificate is not valid. You will however be using SSL, assuming your mail clients are set to the correct ports! Don’t forget to allow the ports though the Plesk firewall!

SSL IMAP Port 993
SSL POP3 Port 995
SSL SMTP Port 465