Symptoms
-
Security protocols in Postfix are set to default ones whenever an SSL certificate is renewed and/or assigned at Plesk > Tools & Settings > SSL/TLS Certificates > Certificate for securing mail.
For example, in case the TLSv1 protocol is enabled at
/etc/postfix/main.cf:# egrep “smtpd_tls_mandatory_protocols|smtpd_tls_protocols” /etc/postfix/main.cf
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2 -
After updating the SSL certificate at Plesk > Tools & Settings > SSL/TLS Certificates > Certificate for securing mail, the TLSv1 protocol gets removed from
/etc/postfix/main.cf:# egrep “smtpd_tls_mandatory_protocols|smtpd_tls_protocols” /etc/postfix/main.cf
smtpd_tls_protocols = TLSv1.1 TLSv1.2
smtpd_tls_mandatory_protocols = TLSv1.1 TLSv1.2
Cause
Bug PPP-35434, which will be fixed in future product updates.
Resolution
As a workaround, in order to keep the Postfix settings unchanged after a Mail SSL certificate update, use the following command:
-
Connect to the server via SSH
-
Run the command with ciphers and protocols which should not be changed, for example:
# plesk sbin sslmng –services postfix –ciphers ‘EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES’ –protocols ‘TLSv1 TLSv1.1 TLSv1.2′ –custom
Note: 1) As this command freezes ciphers and protocols on the server, after some time these settings might become obsolete from a security point of view.
2) Moreover, the command is part of the Plesk API and can be changed without further notice.
