Knowledge Base

How to assign an SSL certificate per domain to secure the mail server in Plesk (SNI support)?

Requirements

Plesk	Mail Server	Operating System
Plesk Obsidian for Windows	MailEnable 10.20 and above	All currently supported operating systems
Plesk Obsidian for Linux	Postfix + Dovecot	All currently supported operating systems

Warning: If you're switching from Courier to Dovecot be aware of potential issues.

Log into Plesk
Issue a Let's Encrypt certificate for a domain, or upload a paid certificate
For each of the domains that should have a separate mail certificate, navigate to Domains > example.com > Mail > Mail Settings
Select the domain's certificate in SSL/TLS certificate for mail dropdown:
Click on Apply
Verify that the separate mail certificate is used:
- On Windows:
  1. Connect to the server via RDP
  2. Run OpenSSL with the mail server's domain and check the certificate's CN field:
    
    PS echo 'Q' | plesk sbin openssl s_client -connect localhost:465 -servername example.com -showcerts 2>&1 | SLS -Pattern 'CN=[^/]+' | % { $_.Matches } | % { $_.Value } | Get-Unique
    CN=example.com
- On Linux:
  1. Connect to the server via SSH
  2. Run OpenSSL with the mail server's domain and check the certificate's CN field:
    
    # echo 'Q' | openssl s_client -connect localhost:465 -servername example.com -showcerts 2>&1 | grep -Eo 'CN=[^/]+' | uniq
    CN=example.com