I am trying to set up SSL/TLS security for a domain hosted on an Apache/Plesk server
I’ve gone to the domain name in CloudFlare and selected SSL/TLS/Origin Server
I’ve created the certificate and private key
I’ve copied them into Plesk
Plesk reports that webmail.domainname, *.domainname and IMAP, POP and SMTP are secured
However something is not working
When I connect to the email account in Outlook I can only connect unencrypted - ports 110 (POP3), 143 (IMAP) and 25 (SMTP).
Also when I visit mail.domainname or webmail.domainname in a browser, Kaspersky blocks me with the messages “This certificate or the certificate chain is built on an untrusted root center” for webmail. and " Self-signed certificate" for mail.
You would need to either purchase an valid SSL certificate one for your mail hostname, or generate one using for example one of Let’s Encrypt methods.
Furthermore, to make your e-mail service work propperly, kindly click on the button in a row at DNS tab where is A mail to make it (DNS only). Your A mail hostname (DNS record) should be unproxied cloud.
Usually the A type record like mail.example.com should be cloud (DNS-only) because otherwise your e-mails will not work.
Nevertheless, the MX type record should point to a hostname that is set to (as stated from above mail.example.com).
Cloudflare’s default configuration only allows proxying of HTTP traffic and will break mail traffic.
Do not DNS records used to receive mail: Cloudflare does not proxy mail traffic by default.
Kindly, may I suggest below article how to properly setup e-mail for your domain while using Cloudflare:
True as far as stated:
Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.
To make sure your root domain and any other sub-domain (web related like webmail) is set to proxied to make sure it would work over HTTPS while using Cloudflare Origin CA certificate and also make sure your SSL option is set to Full (Strict)at the SSL/TLS tab of Cloudflare dashboard for your domain:
Here is a way to re-check if you correctly setup the SSL for your domain with Cloudflare:
So if I’m reading this right, Cloudflare Origin Certificates do not work for mail.domainname or webmail.domainname even though it’ll work for *.domainname if the DNS records are set to DNS only rather than Proxied.
And those records should be set to DNS only rather than Proxied otherwise the mail will fail. Am I correct?