Certifying a mail server without a running web server


I want to certify a mail server (running dovecot,postfix and MySQL) on my home network with a real domain (lampworx.co.uk) hosted on 123-reg with the MX record pointing to my server. However, it seems that certification applies to web servers only and I don’t currently run one on my server. Do I have to run a web server in order to authenticate the domain via ports 80 or 443?




hi dean

review challenge types and you will learn that your statement is not 100% accurate.

have a search for DNS cloudfalre and certbot on this forum and you will find an article on how to automate renewals with the DNS challenge



As Andrei mentioned, you have the option of the dns-01 challenge, and also the tls-sni-01 challenge.

However, temporarily running a web server (Certbot can be the web server for you) may just be the easier option!



I’ve tried the following

sudo certbot auth --dry-run --agree-tos --text --preferred-challenges tls-sni --standalone --email deanb@lampworx.co.uk -d oak.lampworx.co.uk

The outcome of this was (truncated):

Domain: oak.lampworx.co.uk
Type: connection
Detail: Error getting validation data
Failed authorization procedure. oak.lampworx.co.uk (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data



The TLS-SNI-01 challenge happens over port 443. Do you have this port permitted on the network? Does the domain definitely point to this server?


@dno - I’m unable to reach the IP your domain name resolves to over port 443. I checked the Let’s Encrypt staging server’s validation logs and it receives the same error I do:

$ curl https://oak.lampworx.co.uk:443
curl: (7) Failed to connect to oak.lampworx.co.uk port 443: No route to host
$ curl
curl: (7) Failed to connect to port 443: No route to host

I’ve seen this behaviour in the past and @schoen helpfully taught me how it can correspond to an ICMP “Host administratively prohibited” response that likely indicates there’s a firewall or network device between the world & your server that’s blocking access to 443 and breaking the tls-sni-01 validation.

@dno Can you try and determine if your ISP or hosting provider might be blocking inbound port 443?



I should say that I have found a tool at https://mxtoolbox.com/ and it says my ip address ( is blacklisted. I don’t know how this has happened since I only set the mail server up over the last couple of days.

I have had the following response from 123-reg’s mail server:

This is the mail system at host oak.lampworx.co.uk.

I’m sorry to have to inform you that your message could not
be delivered to one or more recipients. It’s attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

               The mail system

dean@delta101.co.uk: host mx0.123-reg.co.uk[] said:
550-ATLAS(2503): is blacklisted and not authenticated. Please
550-request delisting via the following link: 550
https://www.spamhaus.org/query/ip/ (in reply to MAIL FROM

You’ll notice that the address that is blacklisted is not my ip address, but it belongs to BT.
The ‘delta101.co.uk’ is another domain of mine hosted on 123-reg’s server and that works fine.

If you go to spamhaus they say that BT operate a PBL and won’t send any email from an unauthorised server or a non btinternet.com email address. Could this be the problem?

The ‘lampworx.co.uk’ domain is parked on 123-reg’s servers and I have the MX record in their dns pointed to my server so they cannot block ports. However, BT are are my service providers and I have raised the issue with them. That could take a while as it has been escalated beyond ‘a broadband fault’.

My smtp server points to the following: mySMTP_Server

and the following ports are mapped to that ip address:
Protocol Port Range Translate To
TCP 80 80
TCP 443 443



Hi @dno,

That might impact your ability to send email but it wouldn’t explain why both myself and the validation authority are unable to reach your server on port 443.


Just to clarify that I am not running a web server of any description at the moment. Am I correct in thinking that certbot uses one on the fly for authentication purposes?


That’s correct, when you use the --standalone option (as you did), certbot uses its own temporary web server on the fly.

However, it might be worth temporarily installing a real web server on that machine and testing whether you can access it from outside your home network on port 443. If that works, certbot should work too.


Ok, I put my hands up and confess to being a complete twat. I failed to insert the correct ip address into the dns. I was using a gateway ip address instead of a broadband network address. Once I made the change certbot produced the certificate.

I’m still having problems with my ip address being blacklisted, but that’s one for BT.

Thanks to all who tried to help



May I piggy back my inquiry onto this one as the description closely fits my situation.

I’m using the Let’s Encrypt cPanel interface to add certificates. For one domain I host the email but the web site is handled elsewhere. I’ve got the DNS all setup with a specific “mail…” host address and an MX record to reference that. For web stuff the “www…” and unadorned domain name point to the remote host.

The difficulty I have is I cannot de-select the unadorned domain name, i.e. specify just the mail host, so Let’s Encrypt keeps failing certificate installation because it’s trying to verify using http to a host I do not control.

I presume if I was doing it all manually I could install just the mail host certificate and verify that but does anyone know if it is possible to achieve the same when using cPanel?


Hi @Chris_White ,

At the moment this is not possible unless you separate “mail.example.org” away from the “example.org” virtual host. For example, creating a subdomain in cPanel for “mail.example.org” will give it a dedicated virtual host, and then you can issue a certificate for it by itself.

The reason for this is due to a restriction in the way cPanel and Apache work.

For future reference you can get in touch with us directly, which will get you an answer faster than posting here.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.