Certificat for mail server



I am running 2 debian machines, one as a mail server and one as a web server.
Certs work fine for my web server, because its has port 80 and 443 forwarded to it. The problem is when I make certificates for my mail server.

I use SSL encryption for my mail server, but I cant make a certificate with certbot because it needs to check it by using a web server.

I was wondering how I could fix this. If you need any information let me know.


Domain: hedium.nl / mail.hedium.nl
Certbot Version: 0.10.2
Mail server is postfix with dovecot.


Two options:

  • get the cert on the webserver and transfer it somehow securely to your mailserver (e.g. with scp)
  • use certbot on the mailserver with the DNS challenge. For automated renewal it would require a DNS provider with an API.
  • use certbot on the mailserver with your webserver configured as a reverse proxy for the hostname of your mailserver, assuming it has it’s own distinct FQDN. Otherwise you could have used a cert of the webserver in the first place.


Also, you could run Certbot on the mail server using --standalone (if there’s nothing listening on port 80 there).


Seeing the use of “forwarded”, I assume both servers are behind some kind of NAT device, sharing a single public IP address.?

By the way, if using the reverse proxy trick, using standalone would be very useful on the mailserver too!


Hi, I was also thinking about transferring the ssl file from my web server. Going to try this out.

And yeah, I only have one IP address.


Ok, I got the cert moved with a script. Works great.

Do I need to reload postfix and dovecot every time I update the cert?


Yes. Just reloading is fine, no restart required.


alright thanks for all the help!

closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.