• How to сhange the default certificates for SMTP, IMAP, and POP3 over SSL in Plesk 12.5 and Onyx

How to change the default certificates for SMTP, IMAP, and POP3 over SSL?

The certificate for SMTP over SSL is located in the following files:

For QMail MTA: /var/qmail/control/servercert.pem
For Postfix MTA: /etc/postfix/postfix_default.pem
For Dovecot: /etc/dovecot/private/ssl-cert-and-key.pem

Note : Only QMail MTA is used in Plesk 8.x and earlier. Use instructions from KB #5801 article to define which MTA is used in Plesk 9.x and later.

For IMAP4 and POP3 over SSL (only applicable for a Courier-IMAP server), the following certificate files are used:

/usr/share/imapd.pem
/usr/share/pop3d.pem

Or:

/usr/share/courier-imap/imapd.pem
/usr/share/courier-imap/pop3d.pem

By default, these are self-signed certificates for Plesk which are generated during the Plesk installation. If it is required to set up own certificates, copy and paste your certificate and Private Key into the appropriate files (create a backup before changing any files) and restart the qmail/postfix and courier-imap services:

For Plesk version 8.6 and earlier:

~# /etc/init.d/xinetd restart
~# /etc/init.d/courier-imap restart

For Plesk version 9.x and later:

~# /usr/local/psa/admin/sbin/mailmng --restart-service

It is important that the domain the certificate is issued for to be specified. This will allow to avoid a warning that the certificate name does not match that of the host you are connecting to. For example, if the certificate was issued for example.com , then example.com should be specified as the connection string in your mail client preferences for SMTP/POP3/IMAP servers.

NOTE : There is a single certificate for each of these services: SMTP, IMAP4, and POP3 over SSL. Multiple certificates cannot be used for multiple Plesk domains.

Additional Information :

/var/qmail/control/servercert.pem should include:

The Private Key
The primary certificate
The intermediate certificate
The root certificate

Make sure that you include the begin and end tags of the key and each certificate, including the dash lines. The resulting text should look like:

-----BEGIN RSA PRIVATE KEY-----
..........
(Your Private Key here)
..........
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
..........
(Your Primary SSL certificate here)
..........
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
..........
(Your Intermediate certificate here)
..........
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
..........
(Your Root certificate here)
..........
-----END CERTIFICATE-----

The body of the SSL certificate in /usr/share/courier-imap/imapd.pem and /usr/share/courier-imap/pop3d.pem should look like:

-----BEGIN CERTIFICATE-----
MIIB8TCCAZsCBEUpHKkwDQYJKoZIhvcNAQEEBQAwgYExCzAJBgNVBAYTAlJPMQww
............
............
eNpAIeF34UctLcHkZJGIK6b9Gktm
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDv6i/mxtS2B2PjShArtOAmdRoEcCWa/LH1GcrbW14zdbmIqrxb
..........
..........
faXRHcG37TkvglUZ3wgy6eKuyrDi5gkwV8WAuaoNct5j5w==
-----END RSA PRIVATE KEY-----

Additional information :

The SSL certificate can only be installed together with the appropriate Private Key that was generated with Certificate Signed Request (CSR) used by the Certificate Authority to generate the certificate. The Private Key is only stored on the server, and this cannot be rebuilt to match an existing certificate.

If the Private Key has been lost, the certificate can no longer be installed.

To install the SSL certificate, find the Private Key. If this is not possible to locate the Private Key, contact the Certificate Authority who issued the certificate. They will reissue the SSL certificate.


This article was last modified: March 16, 2017, 5:46 p.m.

0 Comments

Please log in to leave a comment.

Add or change tags.

A comma-separated list of tags.

Share

Hacker News

Top