How to сhange the default certificates for SMTP, IMAP, and POP3 over SSL?
Plesk Article ID: 1062, created on Oct 6, 2008, last review on Aug 15, 2016
Plesk for Linux/Unix
How to change the default certificates for SMTP, IMAP, and POP3 over SSL?
The certificate for SMTP over SSL is located in the following files:
For QMail MTA: /var/qmail/control/servercert.pem
For Postfix MTA: /etc/postfix/postfix_default.pem
For Dovecot: /etc/dovecot/private/ssl-cert-and-key.pem
Note: Only QMail MTA is used in Plesk 8.x and earlier. Use instructions from KB #5801 article to define which MTA is used in Plesk 9.x and later.
For IMAP4 and POP3 over SSL (only applicable for a Courier-IMAP server), the following certificate files are used:
By default, these are self-signed certificates for Plesk which are generated during the Plesk installation. If it is required to set up own certificates, copy and paste your certificate and Private Key into the appropriate files (create a backup before changing any files) and restart the qmail/postfix and courier-imap services:
For Plesk version 8.6 and earlier:
~# /etc/init.d/xinetd restart
~# /etc/init.d/courier-imap restart
For Plesk version 9.x and later:
~# /usr/local/psa/admin/sbin/mailmng –restart-service
It is important that the domain the certificate is issued for to be specified. This will allow to avoid a warning that the certificate name does not match that of the host you are connecting to. For example, if the certificate was issued for example.com, then example.com should be specified as the connection string in your mail client preferences for SMTP/POP3/IMAP servers.
NOTE: There is a single certificate for each of these services: SMTP, IMAP4, and POP3 over SSL. Multiple certificates cannot be used for multiple Plesk domains.
/var/qmail/control/servercert.pem should include:
The Private Key
The primary certificate
The intermediate certificate
The root certificate
Make sure that you include the begin and end tags of the key and each certificate, including the dash lines. The resulting text should look like:
—–BEGIN RSA PRIVATE KEY—–
(Your Private Key here)
—–END RSA PRIVATE KEY—–
(Your Primary SSL certificate here)
(Your Intermediate certificate here)
(Your Root certificate here)
The body of the SSL certificate in /usr/share/courier-imap/imapd.pem and /usr/share/courier-imap/pop3d.pem should look like:
—–BEGIN RSA PRIVATE KEY—–
—–END RSA PRIVATE KEY—–
The SSL certificate can only be installed together with the appropriate Private Key that was generated with Certificate Signed Request (CSR) used by the Certificate Authority to generate the certificate. The Private Key is only stored on the server, and this cannot be rebuilt to match an existing certificate.
If the Private Key has been lost, the certificate can no longer be installed.
To install the SSL certificate, find the Private Key. If this is not possible to locate the Private Key, contact the Certificate Authority who issued the certificate. They will reissue the SSL certificate.
Refer the following KB article to install SSL certificate issued for domain:
How to secure SMTP, POP and IMAP connections in Plesk
Plesk-LogoYou’ve installed an SSL Certificate to secure your Plesk Panel, you’ve tested it with an SSL checker and sure enough: the ugly warning window doesn’t bother you or your customers anymore.
But your email client still says that the server doesn’t have a valid certificate. What gives?
The secret is this: SMTP, IMAP and POP3 use their own certificates which are not related to the ones you setup in Plesk to secure https connections. By default the mail services use auto-generated self-signed certificates.
Sadly as of Plesk 12 there is still no way to manage those in the web interface – but it’s relatively easy to fix on the command line. Let’s go through this step by step.
These instructions are for Plesk 12 on CentOS 6 and CentOS 7, using the default Courier mail service. You can also install an alternative mail service called Dovecot in Plesk 12. I’m discussing how to install Dovecot over here.
We need to replace the following three files (default permissions in brackets):
Those are the culprits for SMTP, IMAP and POP3. We need to add our own private key and the certificate of a domain associated with this server and remove the default certificates.
Before we begin, make a safety copy of them like this:
mv /etc/postfix/postfix_default.pem /etc/postfix/postfix_default.old
mv /usr/share/imapd.pem /usr/share/imapd.old
mv /usr/share/pop3d.pem /usr/share/pop3d.old
Here we rename the original files to .old files – in case anything goes wrong, simply rename them back into .pem files.
Add your own certificate
We need the same file three times, so we’ll start by making one for the SMTP service. Create a new file like this:
and paste first the private key, followed by your certificate into this file. It will look something like this:
—–BEGIN PRIVATE KEY—–
—–END PRIVATE KEY—–
The exact same file can be used for both IMAP and POP3 so we can simply copy it to these two new locations:
cp /etc/postfix/postfix_default.pem /usr/share/imapd.pem
cp /etc/postfix/postfix_default.pem /usr/share/pop3d.pem
These two files had 400 permissions by default so that only root can read them, and no one can change them. Let’s adhere to this and apply the same permissions:
chmod 400 /usr/share/imapd.pem
chmod 400 /usr/share/pop3d.pem
Restart Plesk Mail Services
For the changes to take effect we’ll need to restart all Plesk mail services:
And that’s it! Now that pesky warning isn’t going to come up anymore when you access Plesk mail with an email client.
Adding CA Certificates
The above is enough to suppress the usual warning windows in email clients, however if you’re an avid SSL enthusiast you’ll notice that we’ve not added any CA Certificates to the above .pem files. In essence those tell a client that our certificate is valid – otherwise the client would only have our word for it.
You can add the combined CA Certificate to the end of the three .pem files in addition to the private key and your own certificate. It’s not strictly necessary, but doing this means you will pass strict SSL tests.
Thanks to Mike Yrabedra for this tip, and the test URL below!
Testing your mail services
Mike also found a wonderful service that lets you check an email address which will flag up certificate warnings and exceptions – courtesy of CheckTLS:
Simply hack in your email address and you’ll see if your certificate is installed properly. Note that to pass the test, your email address must match the domain on the certificate. For example, if your address is firstname.lastname@example.org, but your certificate is for yourdomain.com then the test will fail the “Cert OK” field.
Screen Shot 2014-12-04 at 12.49.23
Wait – where do I find my private key and certificate?
If you’re using the same certificate for mail that you’re using to secure Plesk, simply head over to
Tools and Settings (or the Server Tab)
click on your certificate from the list
scroll down to find plain text sections for your private key and certificate
Wait – where do I find that CA Certificate you speak of?
Your certificate provider will give that to you. Some providers call it “intermediate CA certificate”. They usually have several versions of the same thing. Look for a combined version. In essence it’s two plain text blocks, very similar to the ones I’ve shown you above.
For example, the RapidSSL CA certificates can be found here: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548