Dovecot mail server certifcate

I run an unmanaged centos server and have recently updated all domains to https:// with no real problems but in the process I found odd links to an expired certificate that was on the server when I leased it that has stumped me!

Letencrypt provides 4 x .pem files that work but Dovecot seems to use .key and .crt files.

As this is all new to me even for a command line user, help please.

The server is but the original stuff was under but works on Dovecot without error. Maybe I am missing something obvious…

There are 3 entries:-

etc/pki/dovecot/certs which include

Then at /root/ directory includes
(not the same files in pki I think)

Then etc/ssl/certs directory includes

All I need to do is use the current certificate for
or update this version of the wwd cert.


Do you have a certificate for the hostname doesn’t have a record of a certificate for that hostname. Is that also the exact hostname users are entering into their mail client to connect to Dovecot?

Hi lots of work later, sorted out most of the Dovecot cert stuff. had to delete a load of old certificates installed by the server provider, then got a cert for and then changed the dovecot config files (was confused over .pem and .key and didn’t realise dovecot would accept any suffix providing it was a key.

Great BUT (always one of them!) the mailboxes are just users on the server without and mail is collected using the IP address not the server address (although the same) in this case if the IP is used client comes up with a cert/server mismatch. If say is used instead of fred@ IP then mail is fetched ssl with no problem,. It will take a while for my clients to use this if they have to, so would prefer to get a certifcate for the IP instead (it is permantly allocated to us) but 2 hours on the net have produced conflicting reports to say the least.

So, will letsencrypt give am IP server cert or do i have to go to a paid organisation?


Let’s Encrypt does not issue certificates for IP addresses (yet).

Hi @JRWatchet

using raw ip addresses with a mail client isn’t a good idea.

Domainname -> ip address.

So these users should only use the domain name.

Thanks for comments, just a pain to get everyone to change their email client - in otherwords I have to
visit a lot of my customers to show them how. Just using the IP is so much easier for customers than changing everything I set up…oh well if has to be done, has to be done! is long!

Will try with some of the other virtual hosts as have a simpler domain.

Will keep looking for commercial idea as have to now set up sendmail to use TLS/SSL - more learning!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.