Protecting Webmail and Mail with SSL/TLS Certificates

When you use mail, bad actors can intercept, read, and tamper with your emails or email credentials, compromising your confidential information. Get peace of mind by protecting mail connections with SSL/TLS certificates. This topic explains which connections you need to secure and how to do it.

The path of an email from the sender to the recipient includes several points where it can be compromised. SSL/TLS certificates protect sensitive data by encrypting connections. To receive all-round protection when using mail, you need to use SSL/TLS certificates to secure the whole mail transmission chain, which consists of the following:

  • The connection between a user’s browser and webmail running on a web server. For simplicity, we call it “securing webmail”.
  • The connection between the Plesk mail server and the sender’s MTA. For simplicity, we call it “securing the Plesk mail server”.

1 Securing Webmail

When you access your mailbox via webmail, a connection between your browser and webmail running on a web server is established. To protect transferred emails and email credentials from being compromised, webmail is by default secured with the same self-signed SSL/TLS certificate Plesk is secured with. The self-signed SSL/TLS certificate encrypts the transferred data but each time you access your webmail you see a warning message about an untrusted SSL/TLS certificate. To stop seeing this warning, secure webmail with a valid SSL/TLS certificate.

To secure webmail with an SSL/TLS certificate:

  1. Get a wildcard SSL/TLS certificate or a SAN certificate that allows to configure webmail.<domain> in SAN. You can do so by:

    Note

    We strongly recommend this option because one wildcard certificate protects all necessary mail connections.

  2. Go to Mail > the “Mail Settings” tab, click the domain name, select the SSL/TLS certificate for webmail, and then click OK.

2 Securing the Mail Server in Plesk

Ask your hosting provider if they have secured the Plesk mail server with a valid SSL/TLS certificate (not with the self-signed SSL/TLS certificate that secures the mail server by default). This encrypts the connection between the Plesk mail server and senders’ MTA protecting emails you receive from being intercepted.

However, unless you are paying for a dedicated server, there is a shortcoming. Each time you access your mailbox, you see a warning message about an untrusted SSL/TLS certificate. It happens because the mail client detects a mismatch between the domain name to which the certificate is assigned (the domain name of the Plesk server) and the domain name of mail. As a result, most mail clients consider the mail server certificate not trusted.

If you use the Postfix and Dovecot mail clients (in Plesk for Linux) and MailEnable (in Plesk for Windows), you can fix the certificates’ mismatch by assigning a SSL/TLS certificate to your individual mail for a domain.

For other mail clients (for example, qmail or Courier), there is currently no ability to assign a separate SSL/TLS certificate for your individual mail for a domain. Whether the connection to the mail server is secured or not depends on how your mail client handles untrusted certificates:

  • The mail client connected to the mail server via SSL/TLS (even though a warning that a certificate is not trusted may be shown). In this case, the connection between your mail and a sender is encrypted and transferred emails are protected from being intercepted.
  • The mail client refused to connect to the mail server via SSL/TLS and you had to use an unencrypted connection. In this case, your transferred emails become vulnerable to interception. We recommend that you change your mail client to one that allows connecting via SSL/TLS even if the certificate is not trusted.

Note

There is another way to fix the certificates’ mismatch. If you use the mail server in Plesk, you can configure your mail client to use the server domain name. For example, the server domain is server.com and your individual domain is example.com. If the mail server is secured with an SSL/TLS certificate assigned to server.com, change the domain name of the mail server from mail.example.com to server.com in your mail client settings.

3 Assigning an SSL/TLS certificate to Mail for a Domain

If you use the Postfix and Dovecot mail clients (in Plesk for Linux) and MailEnable (in Plesk for Windows), you can secure mail for a domain with an individual SSL/TLS certificate. We recommend that you do so if your mail client shows a warning that the SSL/TLS certificate securing the mail server cannot be verified. Once you secure mail for a domain with an individual SSL/TLS certificate, the mail server will return the certificate securing your mail instead of the server-wide certificate assigned by your hosting provider. As the result, the warning will not be shown anymore.

Note

An SSL/TLS certificate securing mail for a domain encrypts the connection only if the Plesk mail server is also secured with an SSL/TLS certificate. Ask your hosting provider if they have secured the Plesk mail server with a valid SSL/TLS certificate.

To secure mail for a domain with an SSL/TLS certificate:

  1. Get a wildcard SSL/TLS certificate or a SAN certificate that allows to configure mail.<domain> in SAN. You can do so by:

    Note

    If you have already got a wildcard SSL/TLS certificate when securing webmail, go to step 2 to secure mail for your domain with this certificate.

    Note

    We recommend getting a free wildcard SSL/TLS certificate from Let’s Encrypt because this certificate can single-handedly protect not only mail for a domain, but also webmail, the domain itself, and multiple subdomains (if necessary).

  2. Go to Mail > the “Mail Settings” tab, click the domain name, select the SSL/TLS certificate for mail, and then click OK.