The default plesk SSL certificate uses self signed certificates by default that means your customers have to accept the untrusted certficate when setting up their email clients.<\/p>\n
There is a very easy way to overcome this using shell & the “Let’s Encrypt” extension within Plesk.<\/p>\n
First of all if you don’t already have an SSL certificate for your domain or mail domain, set one up using the “Let’s Encrypt” extension within Plesk. Alternatively purchase and install your SSL cert from any number of trusted sources. The Comodo EVL certs are a good choice, I’ve always found them the best value for money around.<\/p>\n
Once you have your certificate installed for your domain, it is time to set it up for your mail connections, don’t forget that if your mail server is set to the sub domain of mail.yourdomain.com (most are by default) you will need to have that sub domain created and hosted within Plesk, the SSL certificate then needs applying to this sub domain. You don’t need a website on this domain, but it does need to be physically available so that we can apply our certificate to it.<\/p>\n
Firstly, we need to replace the following files, these are the default SMTP, POP and IMAP certificated used within Plesk.<\/p>\n
\/etc\/postfix\/postfix_default.pem (600)
\n\/usr\/share\/imapd.pem (400)
\n\/usr\/share\/pop3d.pem (400)<\/p>\n
Open a terminal and let’s make a back up of these three files before we go any further!<\/p>\n
mv \/etc\/postfix\/postfix_default.pem \/etc\/postfix\/postfix_default.old\r\nmv \/usr\/share\/imapd.pem \/usr\/share\/imapd.old\r\nmv \/usr\/share\/pop3d.pem \/usr\/share\/pop3d.old<\/pre>\nNow it’s time to add the information from your SSL certificate, you will get these details from the domains > your_domain > SSL Certificates section of the Plesk control panel. Click on the certificates name and scroll down the page to get the Private Key, Certificate and CA-Certificate information.<\/p>\n
We now need to create a new file, we’ll start with the SMTP file<\/p>\n
vi \/etc\/postfix\/postfix_default.pem<\/pre>\nAnd we now need to paste the private key, certificate and ca-certificate into this file<\/p>\n
-----BEGIN PRIVATE KEY-----\r\nMIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgN\r\nVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDEx\r\nJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwM\r\njE4MjI0NTA1WjA8MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1\r\nc3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NMIENBMIIBIjANBgkqhki\r\nG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0l6P7oeYLUF\r\nMIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgN\r\nVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDEx\r\nJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwM\r\njE4MjI0NTA1WjA8MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1\r\nc3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NMIENBMIIBIjANBgkqhki\r\nG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0l6P7oeYLUF\r\n-----END PRIVATE KEY-----\r\n-----BEGIN CERTIFICATE-----\r\nMIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgN\r\nVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDEx\r\nJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwM\r\njE4MjI0NTA1WjA8MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1\r\nc3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NMIENBMIIBIjANBgkqhki\r\nG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0l6P7oeYLUF\r\nMIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgN\r\nVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDEx\r\nJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwM\r\njE4MjI0NTA1WjA8MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1\r\nc3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NMIENBMIIBIjANBgkqhki\r\nG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0l6P7oeYLUF\r\n-----END CERTIFICATE-----\r\n-----BEGIN CERTIFICATE-----\r\nMIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgN\r\nVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDEx\r\nJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwM\r\njE4MjI0NTA1WjA8MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1\r\nc3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NMIENBMIIBIjANBgkqhki\r\nG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0l6P7oeYLUF\r\nMIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgN\r\nVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDEx\r\nJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwM\r\njE4MjI0NTA1WjA8MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1\r\nc3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NMIENBMIIBIjANBgkqhki\r\nG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0l6P7oeYLUF\r\n-----END CERTIFICATE-----<\/pre>\nThis same file can be used for both IMAP and POP3 too, so lets create them.<\/p>\n
cp \/etc\/postfix\/postfix_default.pem \/usr\/share\/imapd.pem\r\ncp \/etc\/postfix\/postfix_default.pem \/usr\/share\/pop3d.pem<\/pre>\nNow we need to give those files their original permissions (400)<\/p>\n
chmod 400 \/usr\/share\/imapd.pem\r\nchmod 400 \/usr\/share\/pop3d.pem<\/pre>\nFinally, lets restart the mail service, the new certificates should now be installed and there should be no more warning messages for your email clients!<\/p>\n
\/usr\/local\/psa\/admin\/sbin\/mailmng --restart-service<\/pre>\nIf you have created a self signed certificate then you may not have CA-Cert text \/ file, this will work without it but you may still get warnings within your email clients that the certificate is not valid. You will however be using SSL, assuming your mail clients are set to the correct ports! Don’t forget to allow the ports though the Plesk firewall! <\/p>\n
SSL IMAP Port 993
\nSSL POP3 Port 995
\nSSL SMTP Port 465<\/p>\n","protected":false},"excerpt":{"rendered":"The default plesk SSL certificate uses self signed certificates by default that means your customers have to accept the untrusted certficate when setting up their email clients. There is a very easy way to overcome this using shell & the “Let’s Encrypt” extension within Plesk. First of all if you don’t already have an SSL […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[164,3,11,171,12],"tags":[364,115,365,102,367,110,366,204],"class_list":["post-1399","post","type-post","status-publish","format-standard","hentry","category-centos","category-linux","category-plesk","category-security-linux","category-webhosting","tag-certificate","tag-email","tag-imap","tag-plesk-2","tag-pop","tag-secure","tag-smtp","tag-ssl"],"_links":{"self":[{"href":"https:\/\/scunster.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1399","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/scunster.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/scunster.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/scunster.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/scunster.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1399"}],"version-history":[{"count":4,"href":"https:\/\/scunster.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1399\/revisions"}],"predecessor-version":[{"id":1403,"href":"https:\/\/scunster.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1399\/revisions\/1403"}],"wp:attachment":[{"href":"https:\/\/scunster.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/scunster.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1399"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/scunster.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}