My idea is completely speculative. If I see it correct, it's not really clear what the iPhone is doing. So speculative tests may produce a solution.
Well... That's SNI support for webserver (which is different from mail servers)
You could use this instruction to verify if SNI for mail is working... (If not working, there is an issue.... Mostly common name mismatch)
https://blog.webhosting.net/how-to-verify-that-mail-sni-domain-sni-ssltls-for-imappop3smtp-works-in-cpanel-and-a-proper-certificate-is-installed/
If the output certificate is your server certificate, that mostly means SNI is not working (or setup) for the mail server...
Thank you
There:
https://support.plesk.com/hc/en-us/articles/115002974174-Is-there-SNI-support-for-SMTP-IMAP-POP3-
Adjust mail client software to use the domain name, which has the valid SSL/TLS certificate issued (e.g. mail.example.com has a valid SSL certificate), instead of mail.exampletwo.com (has no valid SSL certificate).
In order to expose the server as secured to other mail servers in Internet, change MX DNS records for all domains from mail.exampletwo.com to mail.example.com.
But: Your default configuration (which is used without SNI) sends the plesk self signed certificate.
According to Plesk… The OP need to instruct his clients to use host.webinteractiveconsulting.com instead of all other domains (hostnames) in the server field of all mail configturations…
Also, the certificate provided in SMTP / pops / imaps are valid certificate (just without SNI support so only one certificate is provided)
P.S. I have no idea why Plesk won’t support SNI for mail servers…cPanel is way better support this feature…
oh… so this is a known issue 
the people’s comments talk about this exact problem?
uhm, so for now. It seems buying the 2 year cert is the best solution. Not sure when Plesk will fix/change it?
BUT question… why does renewing the cert cause the problem?
If a certificate isn't recognised for a reason and you add an exemption for that certificate, after a renewal, that new certificate won't have that same exemption.
As far as I can see it, you'll need to include all the hostnames the e-mail clients use into one certificate and use that single certificate for the e-mail services. That way, you won't need to rely on SNI and that way all clients should trust the e-mail services.
Also, you mention smtp.501ranch.com once as an used hostname. But that hostname isn't included in a certificate. Therefore, using smtp.501ranch.com will always result in a security error/warning. If you want to use the hostname smtp.501ranch.com, you'll need to include it in the certificate too.
Basically, it's very simpel: if you want to bypass SNI troubles, get a single certificate for all used hostnames by the clients and use that single certificate for all the services.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.