Plugin sends renewal notifications to ALL cert users on the same machine, regardless of separate customer accounts

[Bitpalast]

Let's Encrypt sends renewal messages for certificates when a cert comes close to its expiration date. In the Plesk environment these messages are distributed to all users who have installed a certificate using the Plesk plugin. Owners of domain A receive messages intended for domains B, C, D, E ..., owners of Domain B receive all messages intended for domains A, C, D, E ... and so on.

This behavior should be changed, because users only want to receive messages that were intended for their own certificate, not for the certificates that others are using.

We did try to blacklist the letsencrypt.org domain in the mail server, but this was not successful. It seems as if the plugin is mailing directly into the users' mailboxes on the machine.

[korsarnsk]

Thank you for the bug report. We will check and fix the issue.

[vlikhtanskiy]

Could you please provide the following information:

1. What is the version of the extension (you can see it on extensions list)?
2. Who sends these emails (Plesk or Let's encrypt service)? Could you please post headers of the message?

[tyrann0us]

The emails are being sent from expiry@letsencrypt.org. @Bitpalast do you have an example mail header to post? I can post one if you want. (I reported Bugtracker ID 0005395.)

[xgin]

Could you describe how the certificates were issued? Did you create it with CLI? Did the domain's owner create it by himself? The email for the notification is specified during the certificate creation.

The notification is sent by Let's Encrypt CA server, not by Plesk or by the plugin. That's why you could not blacklist it.

[Bitpalast]

Version of extension? 1.5, Plesk is set to auto-update the extension

Sender of mails? expiry@letsencrypt.org

Method of certificate generation? Using the Plesk extension only, not any console client. All settings are default.

Blacklist? Well, we have blacklisted the "letsencrypt.org" domain server-wide AND we have blacklisted the "expiry@letsencrypt.org" address in the server-wide anti-spam settings. Yet all mails go through.

Sample mail header? Did not save any, but when we did look at the header, it was only addressed to a single recipient. I'll watch out for a sample header and post it as it becomes available.

Who created the certs? The domain owners from within their customer accounts in Plesk did. All domain owners have only entered their own e-mail address into the extension's e-mail field, we've checked that as we went through the list that the extension provides. We also have a domain with a cert on a host ourselves and we are also receiving the notifications that are sent to the other cert owners. However, our e-mail address is external to that host.

Preliminiary conclusion: As we are receiving notifications on an external (OFF machine) address that are also being sent to other customers ON the machine in question, it seems likely that upon certificate creation request the plugin is sending a list of addresses for notification to the authority.

We are sure that there must be a bug, because when we asked in Plesk forum to find other users who experience the same issue we did get at least one confirmation from another provider that they are experiencing the same.

[tyrann0us]

Anonymized sample header posted in consultation with @Bitpalast:

Return-Path: bounce-md_30850198.56fac495.v1-10b185d06d2b45deb16b2aef14325245@mandrillapp.com X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on xy.xyz.net X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=98.9 required=4.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_MSPIKE_H2,RP_MATCHES_RCVD, URIBL_BLOCKED,USER_IN_BLACKLIST autolearn=no autolearn_force=no version=3.4.0 X-Spam-Report: * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. * See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block * for more information. * [URIs: letsencrypt.org] * -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) * [198.2.180.5 listed in wl.mailspike.net] * 100 USER_IN_BLACKLIST From: address is in the user's black-list * 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail * domains are different * -1.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Original-To: abc@abc.org Delivered-To: abc@abc.org Received: from mail180-5.suw31.mandrillapp.com (mail180-5.suw31.mandrillapp.com [198.2.180.5]) by xy.xyz.net (Postfix) with ESMTPS id 0459741406A7 for abc@abc.org; Tue, 29 Mar 2016 20:08:20 +0200 (CEST) Received-SPF: pass (xy.xyz.net: domain of mandrillapp.com designates 198.2.180.5 as permitted sender) client-ip=198.2.180.5; envelope-from=bounce-md_30850198.56fac495.v1-10b185d06d2b45deb16b2aef14325245@mandrillapp.com; helo=mail180-5.suw31.mandrillapp.com; DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill; d=letsencrypt.org; h=From:Subject:Message-Id:List-Unsubscribe:To:Date:MIME-Version:Content-Type:Content-Transfer-Encoding; i=expiry@letsencrypt.org; bh=2vEvDoznhzpjATHTVHWN7QANLkE=; b=ZbktJJhzIcJzpNss4+G9Hju55nPNugKC7muD9jpAehTW2VpLzuleAQK5xsXsVEG6S+LVRsjX4tg1 o1VTK7ePiH/+lFEZ8q4nQzYAZLZQA8fnHUXbqROCV+GWId+BIOj+MD8ZibQVkm2wbLU4C1oPQX5I NcWTapAyEPx4Lj78Eqs= Received: from pmta03.mandrill.prod.suw01.rsglab.com (127.0.0.1) by mail180-5.suw31.mandrillapp.com id hvb29g22sc0e for abc@abc.org; Tue, 29 Mar 2016 18:08:22 +0000 (envelope-from bounce-md_30850198.56fac495.v1-10b185d06d2b45deb16b2aef14325245@mandrillapp.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com; i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1459274901; h=From : Subject : Message-Id : List-Unsubscribe : To : Date : MIME-Version : Content-Type : Content-Transfer-Encoding : From : Subject : Date : X-Mandrill-User : List-Unsubscribe; bh=R7i7GwodPBfVAsV0RVKurfMFuZxJpZzH7f8fFTrdWIw=; b=N2EG2KdqPZCyjrFBP0eWYIrSKI/hemU9QA1BF5DVPCTQhLAsorclNH1PDdcrlwYiGEWDhu s5awSmzKiBBDa4ZgBqeHGzn1f+92qrStWznPGsQkFZJjJm2XW2lWk2XkHpZtaI4muoqFjSps OmVA1mFogdD1LyHuW0zmgXAnmVYfk= From: expiry@letsencrypt.org Subject: Let's Encrypt certificate expiration notice Received: from [66.133.109.36] by mandrillapp.com id 10b185d06d2b45deb16b2aef14325245; Tue, 29 Mar 2016 18:08:21 +0000 Message-Id: 20160329T180821.3492917161615896397.expiry@letsencrypt.org List-Unsubscribe: mailto:unsubscribe-md_30850198.56fac495.v1-10b185d06d2b45deb16b2aef14325245@mailin1.us2.mcsv.net?subject=unsub To: abc@abc.org X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=30850198.10b185d06d2b45deb16b2aef14325245 X-Mandrill-User: md_30850198 Date: Tue, 29 Mar 2016 18:08:21 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit

[Brujo-oe]

In my case the first created letsencrypt Certificate via plesk panel (not cli) was for example domain1.de with the email hostmaster@domain1.de. Now this email address hostmaster@domain1.de. receive now also the Let's Encrypt certificate expiration notice for later on created Certs of domain2.de, domain3.de and so on, independent if the Cert was issued as administrator or by the domain owner itself. The Certs mostly are first time issued early Febuary. I checked each Domain with a letsencrypt cert and each of them has his own mail address filed.

Actually Version is: plesk-letsencrypt-pre-1.0.0-centos6.16032214.x86_64 but I am sure the certs are issued before that Version, there was an update between.

The Mail Header looks similar the above one (exept the blacklist stuff) and comes from expiry@letsencrypt.org

Also what lead me to the result that this is/was an issue within letsencrypt is On 14 March I received: Your certificate (or certificates) for the names listed below will expire in 19 days (on 03 Apr 16 13:43 +0000).

On March 23 I received: Your certificate (or certificates) for the names listed below will expire in 19 days (on 11 Apr 16 20:05 +0000).

On March 24 I received: Your certificate (or certificates) for the names listed below will expire in 9 days (on 03 Apr 16 13:43 +0000).

On March 26 I received: Your certificate (or certificates) for the names listed below will expire in 19 days (on 14 Apr 16 22:02 +0000).

and that for the same Domains with different ending date ? and the best the cert is valid from 04.03.2016 - 02.06.2016 ?? So it looks like it is also a trigger if the cert was automaticaly extended or by the user manualy on the panel?

[pfigel]

and that for the same Domains with different ending date ? and the best the cert is valid from 04.03.2016 - 02.06.2016 ?? So it looks like it is also a trigger if the cert was automaticaly extended or by the user manualy on the panel?

Regarding this: Let's Encrypt made a change to their expiration mailer on March 17th. For any certificate issued after this date, you won't be receiving any expiration mails if you renew/extend them within 60 days. For certificates issued before this date, you will continue receiving notifications until those certificates expire (which, if my math is right, should be in about two weeks at the latest).

[Bitpalast]

Thank you for this info. It will help the expiration notice issue. However, the e-mail address associated with a cert could also be used for other notifications. We'd still prefer the issue itself to be solved, because else private messages from the cert authority could accidentally be distributed to users who are not entitled to read them.

[bdaehlie]

Josh from Let's Encrypt here. We are starting to receive a higher volume of email from people confused about receiving expiration notices for domains they do not control. Would be great if this bug could be fixed so as to avoid that confusion which often results in reports to our security@ address.

[xgin]

Since 2.0 version we create a new registration for each unique email (assume domain owner). I consider the issue is fixed now.

[h9k]

I have v2.0.1 but customers are mailing me about the same issue, they get notifications for domains they do not own! Certificates were registered with pre v2 thoguh. Does this mean I need to uninstall all the Let's Encrypt certificates and create new ones to fix the issue?

[rkosolapov]

@h9k , we have a plan to provide the solution soon. Certificates reinstall will not help :(

[vvolodko]

Certificates reinstall in ext-letsencrypt-2.* will create new LE.org account per subscription, this will prohibit notifications for foreign domains in future.

In order to unsubscribe from notifications for current LE.org account created by ext-letsencrypt-1.* one could visit the link in the notification email (something like "If you are receiving this email in error, unsubscribe at ...")

[h9k]

So this means every client has to fix the problem by themselves and I cannot fix it for them in any way?