3 posts / 0 new
Last post
daniel

updating qmail, smtp and pop certificates

The certificate for SMTP over SSL is located in the following files:

  1. For QMail MTA: /var/qmail/control/servercert.pem
  2. For Postfix MTA: /etc/postfix/postfix_default.pem

Note: Only QMail MTA is used in Parallels Plesk Panel (Plesk) version 8.x and earlier versions. Use instructions from this KB to define which MTA is used in Plesk version 9.x and later versions.

For IMAP4 and POP3 over SSL, the following certificate files are used:

/usr/share/courier-imap/imapd.pem /usr/share/courier-imap/pop3d.pem

By default, these are self-signed certificates for "plesk" which are generated during Plesk installation. If you need to set up your own certificates, copy and paste your certificate and Private Key into the appropriate files and restart the "qmail/postfix" and "courier-imap" services:

For version 8.6 and earlier versions:

    ~# /etc/init.d/xinetd restart
    ~# /etc/init.d/courier-imap restart

For version 9.x and later versions:

    ~# /usr/local/psa/admin/sbin/mailmng --restart-service

It is important that the client specifies the domain that the certificate is issued for in order to avoid a warning that the certificate name does not match that of the host you are connecting to. For example, if the certificate was issued for the "example.com" domain, then you should specify "example.com" as the connection string in your mail client preferences for SMTP/POP3/IMAP servers.

NOTE: There is a single certificate for each of these services: SMTP, IMAP4, and POP3 over SSL; multiple certificates cannot be used for multiple Plesk domains.

Additional Information:

/var/qmail/control/servercert.pem should include:

  1. The Private Key
  2. The primary certificate
  3. The intermediate certificate
  4. The root certificate

Make sure you include the begin and end tags of the key and each certificate, including the dash lines. The resulting text should look like this:

    -----BEGIN RSA PRIVATE KEY-----
    ..........
    (Your Private Key here)
    ..........
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    ..........
    (Your Primary SSL certificate here)
    ..........
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ..........
    (Your Intermediate certificate here)
    ..........
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ..........
    (Your Root certificate here)
    ..........
    -----END CERTIFICATE-----

The body of the SSL certificate in /usr/share/courier-imap/imapd.pem and /usr/share/courier-imap/pop3d.pem should look like this:

    -----BEGIN CERTIFICATE-----
    MIIB8TCCAZsCBEUpHKkwDQYJKoZIhvcNAQEEBQAwgYExCzAJBgNVBAYTAlJPMQww
    ............
    ............
    eNpAIeF34UctLcHkZJGIK6b9Gktm
    -----END CERTIFICATE-----
    -----BEGIN RSA PRIVATE KEY-----
    MIICXgIBAAKBgQDv6i/mxtS2B2PjShArtOAmdRoEcCWa/LH1GcrbW14zdbmIqrxb
    ..........
    ..........
    faXRHcG37TkvglUZ3wgy6eKuyrDi5gkwV8WAuaoNct5j5w==
    -----END RSA PRIVATE KEY-----

Additional information: The SSL certificate can only be installed together with the appropriate Private Key that was generated with Certificate Signed Request (CSR) used by the Certificate Authority to generate the SSL certificate. The Private Key is stored only on your server, and it cannot be rebuilt to match an existing certificate.

If the Private Key has been lost, the certificate can no longer be installed.

To install the SSL certificate, finding the Private Key is recommended. If you are unable to locate the Private Key, contact the Certificate Authority who issued the certificate. They will reissue the SSL certificate.

http://kb.parallels.com/en/1062

daniel

ok looks like the certificate

ok looks like the certificate location for plesk 11.5 at least has changed to /usr/share

/usr/share/imap.pem

/usr/share/pop3.pem

Be sure to update your certificate files there to ensure support for ssl authentication. Of course to give full support then you need a certificate for your subdomain or a wildcord certificate i.e. mail.yourdomain.com or *.yourdomain.com otherwise you will get:

Wrong certificate installed.
The domain name does not match the certificate common name or SAN.

 

Howveer you should still be able to accept the certificatewhen prompted even if the subdomain is not supported.

There is useful tool here for checking the autehnticity and any issues regarding your certificate.

https://ssltools.websecurity.symantec.com/checker/#certChecker

Java is required.

 

daniel

not sure but i do not think

not sure but i do not think root certificate is required any more 

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
To prevent automated spam submissions leave this field empty.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.