Secure Plesk Webmail

Here’s how I install SSL certificates for Horde and Roundcube bundled with Plesk 12.0.18 to remove chain issues, and keep the certificate in scope of Plesk backups.

INSTALL

Firstly, install your webmail certificate in…

And then go to…

Get the file names for the webmail certificate and CA certificate and make a custom horde and roundcube template (paths to follow) adding the following directives.

THE DIRECTIVES

Apache files (horde.php and roundcube.php)

Nginx File (nginxWebmailPartial.php)

I do this because the CA directives are missing from the default Apache2 templates.

TEMPLATE LOCATION

Templates are located here..

copy the above files to

and then edit the files..

EDITING THE TEMPLATES

You need to find and replace the SSL directive/s in the template files and replace with the ones above.

horde.php line 83, and roundcube.php line 86

become…

nginxWebmailPartial.php, there’s a big chunk you need to remove, lines 10 to 26 (in your file)…

Becomes something like…

You can see I have also added ssl_session_cache in there along with HSTS, OCSP, dhparam and ECDH Curve.
Now regenerate the conf files with…

Your webmail will now be properly secured and you won’t get any chain issues when testing your site at ssllabs.

Please note CentOS paths are different. The psa folder is located in /usr/local/.

Thanks for reading, I am working on formatting this article better so you can copy and paste directives like previous guides, unfortunately the code tags wouldn’t wrap the above php sections.

Add OCSP to Plesk Panel

Here’s a guide on adding OCSP to your Plesk 11.5.30 or Plesk 12.0.18 Panel.
Firstly you need to create a file containing both your intermediate and CA certificate, lets call it domainCA.pem.
create the folder…

and upload domainCA.pem to it.

Now create a file called ocsp.inc in

and add the following nginx directives to it…

Next you need to add an include statement for ocsp.inc in the plesk.conf file…

Like so…

With the other include directives.

And restart the Plesk server with

You now have OCSP on your Plesk Panel.

You can also add these directives on a per domain basis in the Plesk Panel under

Plesk -> Domains -> yourdomain.tld -> Apache & Nginx Settings -> Additional nginx directives

Add HSTS to Plesk Panel

Here’s how you can add HTTP Strict Transport Security (HSTS) to your Plesk Panel.
This only applies to Plesk 11.5.30 and Plesk 12.0.18, older versions used lighttpd.

Locate the file and edit with your favourite editor…

And add the normal Nginx HSTS directive under the certificate entries like so…

Save the file and restart the Plesk server…

Now you have Strict Transport Security on your panel.
I will show you how to add OCSP to your Plesk Panel later in the week.

To add HSTS to domains hosted on Plesk, see Secure Redirect in Plesk