Let’s Encrypt certificates with Postfix/Dovecot software


I read

Let’s Encrypt certificates with Postfix/Dovecot software

where one can read:

in /etc/dovecot/conf.d/10-ssl.conf add

ssl_cert = </etc/path/to/your/cert.pem
ssl_key = </etc/path/to/your/key.pem

read also https://wiki.dovecot.org/SSL/DovecotConfiguration

in /etc/postfix/main.cf add

smtpd_tls_cert_file = /etc/path/to/your/cert.pem
smtpd_tls_key_file = /etc/path/to/your/key.pem

but I still have a general additional question:

I have several virtual domains (domain1.tld, domain2.tld, domain3.tld, …) served by Apache webserver for the same IP XY and each domain has its own /etc/path/to/your/cert.perm or key.perm (i.e. on my server /usr/local/etc/letsencrypt/archive/domain1.tld).

So I wonder which one of the different cert.perm/key.perm I have to use in main.cf and 10-ssl.conf?

Because for all different domain1.tld, domain2.tld, domain3.tld reachable under IP XY there is a MX-Record with IP XY so that later one should be able to use smtp.domain1.tld, smtp.domain2.tld, smtp.domain3.tld etc. in the email client.

Thanks and best regards

1 Like

For Dovecot the certificate should encompass the hostnames which are used by your users. I.e., what they put in the IMAP or POP3 field of their mail client.

For the Postfix part: it should include the hostnames which are set in the MX records. You said “a MX-Record with IP XY” but that’s a incorrect DNS configuration: MX records should have a hostname as value, never an IP address.

By the way: not every mail agent uses SNI as you can read on https://wiki.dovecot.org/SSL/SNIClientSupport. Therefore, I recommend getting one certificate with all hostnames in the used MX records for Postfix and one certificate with all hostnames used in your users mailclients for Dovecot.

1 Like

Of course you are right!

I’ll take your advice and see how far I get.

By the way: What will I have to do, if I have to set up a new domain and therefore a new certificate?
Will I have to start certbot again for getting one certificate with all hostnames PLUS the NEW one?

Thanks and best regards

1 Like

Yes, that new hostname won’t be included into your certificate magically :grin:

1 Like


What I meant with my question: When I make a renew for existing domains which still have valid certificates for i.e. 1 month PLUS the new domains: What exactly will happen then?

Obviously the certificate MUST be renewed because of the ONE new domain.

Thanks for your help!


Well, in certbot terms if you change the “contents” (i.e.: hostnames) of the certificate, it won’t be called a renewal. You’ll tell certbot to get a new one.

In fact, a “renewal” is actually the same as getting a new certificate from Let’s Encrypt, but just with the same hostnames. Technically there isn’t any difference between a “renewal” and a brand new certificate from Let’s Encrypts point of view. (Of course they do keep a record of certificates with the included hostnames so they can account for the different rate limits where “renewals” are treated differently).

See Changing a Certificate’s Domains in the certbot documentation for more info.

Do note however, which isn’t clearly explained in the documentation, that there is no function to only specify the hostname you want added to the certificate as an option to a certain certificate.
For example: if you have certificate with the name “foo” with hostname example.com and you want to add bar.example.com, you cannot just say: certbot --cert-name foo -d bar.example.com. You will have to mention all the previous hostnames of the certificate too, like this: certbot --cert-name foo -d example.com,bar.example.com

1 Like

Many thanks for the interesting additional information and clarification.

Kind regards

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.