Certificates for Postfix backup server


Hi friends,
I would to know how, for a (Postfix) backup email server, Letsencrypt work.

For example, on the backup server just copy the certificates from the main server?
Or is it better install certbot on the backup server and request new? Considering that on the email backup server I would not install Apache…

many (again) thanks! :slight_smile:


Does your backup mailserver have the same FQDN? Or is it a different one?

Does your backup mailserver have the same IP address? Or is it a different one?

  1. No, different FQDN
  2. No, different IP address



Then using the certificate for the “main” Postfix server, with a different (set of) FQDN(s) in the certificate than the backup server, won’t work on the backup server, assuming this is also how they are advertised in the MX records.

Then it’s not possible to get the certificate for the backup server issued automatically on the main server.

If the backup server is totally different, i.e., has a different hostname which isn’t present in the certificate for the main server, and has a different IP address (makes sense obviously ;)), most likely you’ll need to get a separate certificate issued for the backup server.

You can use the standalone plugin for that, assuming the firewall of the backup server isn’t blocking incoming TCP port 80 or 443 (using resp. --preferred-challenges http or --preferred-challenges tls-sni).


Ok I will try and then report!

for the Email Client could be a problem fetch “two” different certificates for the same email address?

Many many thanks!


I’m not sure if I understand the question. What does the “email address” have to do with it? A certificate isn’t bound to an email address, it’s bound to a server on a specific hostname (FQDN).

Also, speaking about an “email client” makes me wonder if we’re talking about the same situation. I assumed, mostly because of lack of information, you were talking about a backup SMTP server in the context of adding a backup server with a lower priority to your list of MX records of your domain name. But now when you’re talking about “email clients”, I’m not sure if we mean the same. I’m also not sure if it would make a difference though, I’m thinking it doesn’t :slight_smile:


Yes, I’m talking about this.
Only, I came to doubt if for the Email Client (as Thunderbird) handle two certificates, one for the first email server, and the second for the backup email server, may result problematic. But by your answer, seem to understand I do not have to worry…



E-mail clients such as Thunderbird do not use MX records and therefore won’t directly connect to your main nor backup Postfix server. They will connect to whatever mailserver the user sets the outgoing SMTP server to. That has nothing to do with MX records.


Yes, but Email Client handle certificates for encrypted transmission. Two Email server with two different FQDN equal two different certificates. But I think, from what you say, that there are no problems.


Obtain certificate for backup emal server on third-level domain

But before you were saying it was for your MX records? I don’t understand… What is it. MX records or user e-mail clients such as Thunderbird?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.