Can't get Origin Server certificate to work with webmail or imap/pop3/smtp

I am trying to set up SSL/TLS security for a domain hosted on an Apache/Plesk server
I’ve gone to the domain name in CloudFlare and selected SSL/TLS/Origin Server
I’ve created the certificate and private key
I’ve copied them into Plesk
Plesk reports that webmail.domainname, *.domainname and IMAP, POP and SMTP are secured
However something is not working
When I connect to the email account in Outlook I can only connect unencrypted - ports 110 (POP3), 143 (IMAP) and 25 (SMTP).
Also when I visit mail.domainname or webmail.domainname in a browser, Kaspersky blocks me with the messages “This certificate or the certificate chain is built on an untrusted root center” for webmail. and " Self-signed certificate" for mail.

What am I doing wrong?

From the topic title, Cloudflare Origin CA certificate cannot be used with e-mail service and doesn’t work for e-mail, neither Cloudflare does proxy e-mail traffic (by default).


You would need to either purchase an valid SSL certificate one for your mail hostname, or generate one using for example one of Let’s Encrypt methods.

Furthermore, to make your e-mail service work propperly, kindly click on the :orange: button in a row at DNS tab where is A mail to make it :grey: (DNS only). Your A mail hostname (DNS record) should be unproxied :grey: cloud.

Usually the A type record like should be :grey: cloud (DNS-only) because otherwise your e-mails will not work.
Nevertheless, the MX type record should point to a hostname that is set to :grey: (as stated from above

Cloudflare’s default configuration only allows proxying of HTTP traffic and will break mail traffic.

Do not :orange: DNS records used to receive mail: Cloudflare does not proxy mail traffic by default.

Kindly, may I suggest below article how to properly setup e-mail for your domain while using Cloudflare:

True as far as stated:

Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.

To make sure your root domain and any other sub-domain (web related like webmail) is set to proxied :orange: to make sure it would work over HTTPS while using Cloudflare Origin CA certificate and also make sure your SSL option is set to Full (Strict) at the SSL/TLS tab of Cloudflare dashboard for your domain:

Here is a way to re-check if you correctly setup the SSL for your domain with Cloudflare:

So if I’m reading this right, Cloudflare Origin Certificates do not work for mail.domainname or webmail.domainname even though it’ll work for *.domainname if the DNS records are set to DNS only rather than Proxied.

And those records should be set to DNS only rather than Proxied otherwise the mail will fail. Am I correct?

Cloudflare Origin Certificates are only to secure the connection between Cloudflare and the origin webserver for DNS entries that are proxied :orange:. They are of no use in any other scenario.

Cloudflare only proxy HTTP protocols, so names used for mail protocols like SMTP, IMAP and POP3 need to be :grey:

1 Like

OK, thanks. Looks like this won’t fix the problem then

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.