SSL and email security

[mist_firefly]

Hi,
I'm not completely sure I am posting in the right part of the forum (sorry if I don't)

At the moment our plesk server can't support SSL so each time we set up emails (for eg on outlook) we need to untick the part with <this server requires and encrypted connection>.
My question is: how can we set up an SSL encrypted connection and could we do so we have both options available to use (without SSL or with)?

Thanks

[biggles]

SSL normally works out of the box with Plesk. Are you using port 465?

[mist_firefly]

sorry I'm not sure( a bit new to this) could you please let me know how I could check if I am using 465.

Also it is true that on our server all the domains use the same IP address and the server has a SSL certificate(a shared one) if I would need it only for one domain how would I set it up? Because at the moment if we don't untick the SSL when setting emails the email won't work(so I suppose that means the specified domain doesn't have the certificate on)

[faris]

The SSL stuff is very confusing even for someone who has been using Plesk since version 2.0!

By default, SSL will work for email BUT the certificate used is a self-signed one generated by Plesk during the install. The last time I checked, most email programs (e.g. Outlook) pop-up a windows every time you send/receive unless you select View then Install on the certificate. Incidentally, you can see which port you need to make sure is open in your firewall on your Plesk server when using Outlook by looking in the Advanced tab in the Properties for the email account in question in Outlook. When you tick the appropriate box, you'll see the port change from 110 (for POP3) to something else Begins with a 9 when I do it not a 4.

If that port is not open on your Plest server (and it might not be), SSL connections in that configuration will fail.

You can install your own, full, SSL certificate for use with email. Follow this KB:
http://kb.parallels.com/en/1062

But you need to read every word. The important thing here is that there can be only one SSL certificate for email. You can't have a different one for each domain hosted. So, to avoid SSL errors and pop-up warnings, you'd have to tell them to use www.domain.tld as the POP3/IMAP server address if you have purchased a certificate for www.domain.tld, or to use domain.tld if you have purchased a certificate for domain.tld. If they use a different domain hosted on your server then they will get the same pop-up error message as they would with a self-signed certificate (or maybe something similar but with a different warning).

Note that installing an SSL certificate for a domain in Plesk has no effect on the certificate used for email. You have to follow the KB above. However, using Plesk's SSL system allows you to generate the required CSR via the GUI, as though you were going to generate a CSR for a certificate to protect a web domain in Plesk, from which you can get a certificate issued and from there you can follow the KB to install it for email.

It wasn't clear from your message whether you wanted the SSL certificate for the domain itself (e.g. for an ecommerce site) or just to sort out your email problem. But if you do, you just go to the domain you want to protect with the SSL certificate, click on the appropriate option for your version of Plesk and ...errr..well, you need to click on Create New Certificate or something similar, select 2048 bits, give it a name, then generate the CSR. Paste that into your SSL company's web page, get a Certificate and a CA Certificate and then paste those back into Plesk.

There can be only one SSL certificate per IP address in Plesk (although there is technology to get around this limit in Plesk 10 and later but it doesn't work universally). It is fine if you have loads of different domains on one IP (e.g. shared as opposed to exclusive). But you can only have the one certificate covering all domains on that IP.

You can even have one certificate covering more than one IP: http://kb.parallels.com/en/385

Err...yes, so I've probably confused the hell out of you by now. Sorry. But maybe some of what I've posted will give you a bit of a pointer. I certainly hope so.

[mist_firefly]

Thanks faris for your reply.

What interest me at this moment is the SSL for email as one of our client came across the following problem:
"Just tried to set up a new email account which on Thunderbird (Email programme) tells me I have no connection security - (eg STARTTLS or SSL/TLS) and also assume my password should be encrypted."
This is because the way we set it up without ticking SSL security option. Cause if we do it doesn't work(which is strange).

When our clients are setting up their emails they use: as incoming and outgoing mail servers: mail.domain.tld that means for the same domain will be a couple of people using the same mail servers (it's usually POP3 what they use) does that mean if we use SSL certificates they need to be different?

From what you said did I understand this right: there is an ssl certificate already on plesk from it's installation that should work but might not because the port might not be opened? How could I check that?

Thanks again

[faris]

On the command line on the server, as root, use:

iptables -v -n -L | less

To view all the firewall rules.

You might also like to use

iptables -v -n -L | grep '995'

... to cut to the chase.

For me, when you tick the appropriate box in Outlook, it uses port 995 instead of 110. That's "Secure POP3".

Port 993 is necessary for secure IMAP.

Yes, there's an SSL certificaate for email already installed. This will protect the connection. But as it is self-signed, users will see a box pop up talking about untrusted or expired certificates the first time they enable the appropriate ssl option (incidentally, you need to select TLS for OUTGOING not SSL if you also allow authenticated smtp).

The fact that "it doesn't work" indicates to me that the port is blocked. Any other issue would result in some kind of SSL error poping up.

[mikeshinn]

The SSL stuff is very confusing even for someone who has been using Plesk since version 2.0!

Wow! I had no idea you went all the way back to when we had the Plesk HQ in Chantilly (just down the street from where Atomicorp is HQed now).

[faris]

Yes, I hail from the time that Plesk had no graphics in the UI and upgrading Plesk versions took about 10 seconds -- and was not in the least bit nerve-wracking.

However, the only version I can actually still remember using physically is Plesk 5.0. I think there was some sort of big version jump at some point? Was it from 2 to 5?

But we digress......

[scott]

yup, we went from 2.0 to 2.5, to 5.0

[mikeshinn]

Yes, I hail from the time that Plesk had no graphics in the UI and upgrading Plesk versions took about 10 seconds -- and was not in the least bit nerve-wracking.

Of course it wasn't nerve-wracking, it was our company back then!