How to secure SMTP, POP and IMAP connections in Plesk

Plesk-LogoYou’ve installed an SSL Certificate to secure your Plesk Panel, you’ve tested it with an SSL checker and sure enough: the ugly warning window doesn’t bother you or your customers anymore.

But your email client still says that the server doesn’t have a valid certificate. What gives?

The secret is this: SMTP, IMAP and POP3 use their own certificates which are not related to the ones you setup in Plesk to secure https connections. By default the mail services use auto-generated self-signed certificates.

Sadly as of Plesk 12 there is still no way to manage those in the web interface – but it’s relatively easy to fix on the command line. Let’s go through this step by step.

These instructions are for Plesk 12 on CentOS 6 and CentOS 7, using the default Courier mail service. You can also install an alternative mail service called Dovecot in Plesk 12. I’m discussing how to install Dovecot over here.

 

Default Certificates

We need to replace the following three files (default permissions in brackets):

  • /etc/postfix/postfix_default.pem (600)
  • /usr/share/imapd.pem (400)
  • /usr/share/pop3d.pem (400)

Those are the culprits for SMTP, IMAP and POP3. We need to add our own private key and the certificate of a domain associated with this server and remove the default certificates.

Before we begin, make a safety copy of them like this:

Here we rename the original files to .old files – in case anything goes wrong, simply rename them back into .pem files.

 

Add your own certificate

We need the same file three times, so we’ll start by making one for the SMTP service. Create a new file like this:

and paste first the private key, followed by your certificate into this file. It will look something like this:

The exact same file can be used for both IMAP and POP3 so we can simply copy it to these two new locations:

These two files had 400 permissions by default so that only root can read them, and no one can change them. Let’s adhere to this and apply the same permissions:

 

Restart Plesk Mail Services

For the changes to take effect we’ll need to restart all Plesk mail services:

And that’s it! Now that pesky warning isn’t going to come up anymore when you access Plesk mail with an email client.

 

Adding CA Certificates

The above is enough to suppress the usual warning windows in email clients, however if you’re an avid SSL enthusiast you’ll notice that we’ve not added any CA Certificates to the above .pem files. In essence those tell a client that our certificate is valid – otherwise the client would only have our word for it.

You can add the combined CA Certificate to the end of the three .pem files in addition to the private key and your own certificate. It’s not strictly necessary, but doing this means you will pass strict SSL tests.

Thanks to Mike Yrabedra for this tip, and the test URL below!

Testing your mail services

Mike also found a wonderful service that lets you check an email address which will flag up certificate warnings and exceptions – courtesy of CheckTLS:

Simply hack in your email address and you’ll see if your certificate is installed properly. Note that to pass the test, your email address must match the domain on the certificate. For example, if your address is you@domain.com, but your certificate is for yourdomain.com then the test will fail the “Cert OK” field.

Screen Shot 2014-12-04 at 12.49.23

 

Wait – where do I find my private key and certificate?

If you’re using the same certificate for mail that you’re using to secure Plesk, simply head over to

  • Tools and Settings (or the Server Tab)
  • Security Settings
  • SSL Certificates
  • click on your certificate from the list
  • scroll down to find plain text sections for your private key and certificate

 

Wait – where do I find that CA Certificate you speak of?

Your certificate provider will give that to you. Some providers call it “intermediate CA certificate”. They usually have several versions of the same thing. Look for a combined version. In essence it’s two plain text blocks, very similar to the ones I’ve shown you above.

For example, the RapidSSL CA certificates can be found here: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548

Further Reading

About Jay Versluis

Jay is a medical miracle known as a Super Survivor. He runs two YouTube channels, five websites and several podcast feeds. To see what else he's up to, and to support him on his mission to make the world a better place, check out his Patreon Campaign.

32 thoughts on “How to secure SMTP, POP and IMAP connections in Plesk

    1. Hi Kuba, Plesk will create both the CSR and the Private Key for you: as soon as you create a new certificate in Plesk, hit the Request button, the fields for CSR and Private Key are pre-populated. You give the CSR to your certificate provider, who in turn will send you a certificate and CA certificate.

    1. No, you’ll create that via the web interface in Plesk. Depending if you’re creating a server-wide certificate or one for a domain, the steps to get there are a little different.

      For a server-wide certificate, head over to Tools and Settings (or the Server Tab), and under Security, select SSL Certificates. For a domain certificate, expand the Show More tab and choose “secure your sites”. From now on the steps are pretty much the same.

      Select “Add SSL Certificate”, give it a name, fill in the domain for a server-wide certificate and select “Request”. This will create a CSR (Certificate Signing Request), together with the Private Key you were looking for. Plesk will return you to the list of available certificates, click on it and you’ll see both CSR and Private Key at the bottom of the page.

      1. Thank you very much! And where can I find the certificate? I know these questions may be stupid but I’m new to SSL.

        1. No problem Kuba, SSL is one of those topics that isn’t easy, partly because nobody bothers to document or implement it so that humans can understand. A number of SSL entities exist that offer certificates directly (Symantec, GeoTrust, Comodo), and a number of third parties act as resellers for those companies too. Usually whoever sells domains also sells SSL certificates (ENOM, Hostgator, GoDaddy, Strato, 1&1, etc). Resellers are often cheaper than buying from the SSL companies directly.

          You must create the certificate with a specific domain or subdomain (say yourdomain.com, something.yourdomain.com), or choose a wildcard certificate that will accept something like *.yourdomain.com (those are more expensive). For a single domain, try GeoTrust’s RapidSSL. The CSR you create in Plesk will contain the domain you’re requesting.

          By default, Plesk is installed with a self-signed certificate, both for the 8843 port as well as mail. The only difference between a “real” SSL certificate and the self-signed one is the Certificate Authority: with a self-signed certificate, the creator of the certificate is the same as the entity that wants to be authenticated (i.e. the Plesk server). Traffic is still encrypted, but the client (web browser or email app) can’t be certain that this is a kosher certificate, and hence flags a warning. For server admins that’s usually never a problem, but ordinary users generally freak out at the sight of those.

          With “real” certificates, you have the same setup, but in addition there’s a CA certificate (the Certificate Authority’s Certificate). This allows clients to verify with the certificate issuer (i.e. GeoTrust) that they have actually issued the certificate for your server, and the ghastly warning is suppressed.

          Hope this helps!

        2. Thank you very much for your answer. I have one more question. Where can I get this certificate that I have to paste i postfix_default.pem. Because in the SSL certificate I created I only have Private Key and CSR as you already wrote. Can I use one of those from RapidSSL?

        3. Exactly: you make a payment, send them your CSR, and they’ll give you the certificate and a link to the CA certificates too. RapidSSL is around $20 or less from resellers, or $49 from RapidSSL.com. There are several others in that price class too.

          Good luck!

        4. On, thank you. So, considering self-signed certificate – to create it I have to use Private Key and CSR I generated in Plesk?

        5. Plesk does that when it’s first installed, there’s always one called “default certificate”. That’s the one that secures Plesk on port 8443. Email is also signed with a self-signed certificate, but I don’t know if it’s based on the same CSR. If you examine the three .pem files , you’ll see that they contain a certificate already – that’s the self-signed one generated by Plesk. So in a nutshell, if you want to use a self-signed certificate for mail, or to secure Plesk’s web interface, you don’t have to do anything. You just have to live with the warnings generated by the email client and web browser.

  1. JESUS JUMPING CHRIST, I WASTED TWO WEEKS 8 HOURS EVERY SINGLE DAY TRYING TO FIGURE OUT WHY THE FLIPPIN E-MAIL CLIENTS AREN’T USING THE CHOSEN CERTIFICATES.

    Your solution worked. I’ve read every single tutorial out there, none of the suggested solutions worked.

    I love you my man, I love you. Do you have a PayPal account so I can donate some coffee money?

    1. Thank you, Deniz! It’s crazy that this isn’t documented better, let alone not implemented in the web interface. Apparently the team are working on it though.

      Donations are always welcome: paypal@wpguru.co.uk 😉

    1. All mail services are handled centrally by Plesk, not the domain. While you can of course connect to the mail server with anydomain.com, the certificate served by Plesk is always the same. If you need the functionality that a specific domain returns a specific mail certificate, I’m afraid you’ll have to use one Plesk instance for that domain. In other words, in a shared multi-domain environments, all domains must use the same mail certificates.

Add your voice!