Article ID: 1062, created on Oct 6, 2008, last review on Aug 15, 2016

  • Applies to:
  • Plesk for Linux/Unix


How to change the default certificates for SMTP, IMAP, and POP3 over SSL?


The certificate for SMTP over SSL is located in the following files:

  1. For QMail MTA: /var/qmail/control/servercert.pem
  2. For Postfix MTA: /etc/postfix/postfix_default.pem
  3. For Dovecot: /etc/dovecot/private/ssl-cert-and-key.pem

Note: Only QMail MTA is used in Plesk 8.x and earlier. Use instructions from KB #5801 article to define which MTA is used in Plesk 9.x and later.

For IMAP4 and POP3 over SSL (only applicable for a Courier-IMAP server), the following certificate files are used:




By default, these are self-signed certificates for Plesk which are generated during the Plesk installation. If it is required to set up own certificates, copy and paste your certificate and Private Key into the appropriate files (create a backup before changing any files) and restart the qmail/postfix and courier-imap services:

For Plesk version 8.6 and earlier:

    ~# /etc/init.d/xinetd restart
    ~# /etc/init.d/courier-imap restart

For Plesk version 9.x and later:

    ~# /usr/local/psa/admin/sbin/mailmng --restart-service

It is important that the domain the certificate is issued for to be specified. This will allow to avoid a warning that the certificate name does not match that of the host you are connecting to. For example, if the certificate was issued for, then should be specified as the connection string in your mail client preferences for SMTP/POP3/IMAP servers.

NOTE: There is a single certificate for each of these services: SMTP, IMAP4, and POP3 over SSL. Multiple certificates cannot be used for multiple Plesk domains.

Additional Information:

/var/qmail/control/servercert.pem should include:

  1. The Private Key
  2. The primary certificate
  3. The intermediate certificate
  4. The root certificate

Make sure that you include the begin and end tags of the key and each certificate, including the dash lines. The resulting text should look like:

    (Your Private Key here)
    -----END RSA PRIVATE KEY-----
    (Your Primary SSL certificate here)
    -----END CERTIFICATE-----
    (Your Intermediate certificate here)
    -----END CERTIFICATE-----
    (Your Root certificate here)
    -----END CERTIFICATE-----

The body of the SSL certificate in /usr/share/courier-imap/imapd.pem and /usr/share/courier-imap/pop3d.pem should look like:

    -----END CERTIFICATE-----
    -----END RSA PRIVATE KEY-----

Additional information:

The SSL certificate can only be installed together with the appropriate Private Key that was generated with Certificate Signed Request (CSR) used by the Certificate Authority to generate the certificate. The Private Key is only stored on the server, and this cannot be rebuilt to match an existing certificate.

If the Private Key has been lost, the certificate can no longer be installed.

To install the SSL certificate, find the Private Key. If this is not possible to locate the Private Key, contact the Certificate Authority who issued the certificate. They will reissue the SSL certificate.

Refer the following KB article to install SSL certificate issued for domain:

How to install SSL certificate issued for domain

Search Words

mail on port 465 and 995 is not working

ssl certificate for mail use

SSL für IMAPS ( [P3]

warning: TLS library problem: 18393:error:14094418:SSL routines:SSL3_READ_BYT ES:tlsv1 alert unknown ca:s3_pkt.c:1257:SSL alert number 48:

ssl for email only

SSL error

Mail accounts show certificate warning



courier-pop3s: couriertls: /usr/share/pop3d.pem: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag



imap ssl

digital cert

pop3 imap ssl

a914db3fdc7a53ddcfd1b2db8f5a1b9c 29d1e90fd304f01e6420fbe60f66f838 56797cefb1efc9130f7c48a7d1db0f0c

Email subscription for changes to this article
Save as PDF