Overview
iKVM
Secure Login
Network Cards
Hard drives
SSHFS
Basic DNS
Website DNS
Certbot SSL
Apache and PHP
Maria DB
Mail Server Basics
Mail Server SSL
Mail Server Filters
Checklist
Backup
Last updated: August 2025

Mail Server SSL (Postfix and Dovecot Multiple SSL Certificates)

Mail Server Multiple SSL Certificates

Note: This article series covers configuring Debian 12 for hosting multiple domains and web sites on a single dedicated server. As such, some strategies may be inappropriate for your environment. Sockets for example are appropriate for communication between services hosted on the same machine but not suited to a set up with distributed services (where you'd use ports). Please consult the overview for more information.

Operating System: Debian 12
Postfix: version 3.7.11
Dovecot: version 2.3.19.1 (9b53102964)

I like to use mail sub domains for my primary domains (eg. mail.domain.com) so you need your server to use a different certificate for each domain. We're going to set that up in Postfix and Dovecot.

As well as secure SMTP, I like to offer IMAP and POP3 SSL (IMAPs and POP3s) services.

Get your SSL certificates

Using certbot, you can't just append a domain to an existing certificate (net change method), you have to request everything again (bulk update method). You might need to do a bit of planning here so firstly list your existing certificates:

sudo certbot certificates

I had 2 certificates for the same domain (both valid) and I wanted to tidy that up a bit, so I deleted the erroneous certificate (sudo certbot revoke --cert-name < certificate name > - it asks if you want to delete the certificate) and then fixed the SSL file in apache to point to the correct certificate paths of the one I kept. Then I restarted Apache (just to be sure!). Actually, I did the apache change first (in case I broke anything!), then I deleted the certificate once I knew everything was cool!

Quick note on planning, before doing admin changes, open up a text document and type the steps you're taking. Then have a little think about the safest route to achieve your goals. Try to put yourself in a position that lets you roll things back if you break anything, your users will thank you by enjoying less downtime!

We want to add a mail sub domain to our existing certificate, so first check the domains field in your list of certificates because we need to make sure we re-request those domains and then add your mail subdomain, your command pattern will look similar to the following:

sudo certbot certonly --apache -d benosborne.com -d www.benosborne.com -d mail.benosborne.com

'certonly' indicates that I only want the certificate and not any local configuration changes. '--apache' indicates that I wish to use my web server to prove I own the primary domain - then follows a list of the domains I'd like SSL certificates for, prefixed by -d.

Postfix

Now we've got our SSL certificates, we're going to enable multiple domains. Postfix does this in a similar way to how it handles virtual mailboxes, there's an external database file that maps domain names to the correct certificates.

Edit your Postfix configuration, you need to remove a couple of lines and add a few (as usual I just comment out removed lines so I can get them back later if anything breaks!):

sudo nano /etc/postfix/main.cf

Comment out: 

#smtpd_tls_cert_file=/etc/letsencrypt/live/blnkserver.com/fullchain.pem
#smtpd_tls_key_file=/etc/letsencrypt/live/blnkserver.com/privkey.pem
Add (note that in the certificate chain field, the private key is listed first THEN the public). You're essentially replacing the tls_cert and tls_key files with the chain method for outgoing connections and then providing a map file to connect domains to certificates for the incoming ones: 

# primary certificate SSL for the server, to be used for outgoing connections
smtpd_tls_chain_files = /etc/letsencrypt/live/blnkserver.com/privkey.pem /etc/letsencrypt/live/blnkserver.com/fullchain.pem

# The map to use for SSL on incoming connections
tls_server_sni_maps = hash:/etc/postfix/vcerts
Edit that new maps file and add 1 line per domain pointing to the certificate chain (similar to your new main chain definition in main.cf above - private key THEN public key). Obviously, use your domain names - I've provided a few of mine as an example:

sudo nano /etc/postfix/vcerts 

mail.benosborne.com /etc/letsencrypt/live/benosborne.com/privkey.pem /etc/letsencrypt/live/benosborne.com/fullchain.pem
mail.blnk.co.uk /etc/letsencrypt/live/blnk.co.uk/privkey.pem /etc/letsencrypt/live/blnk.co.uk/fullchain.pem
mail.northpolepostbox.com /etc/letsencrypt/live/northpolepostbox.com/privkey.pem /etc/letsencrypt/live/northpolepostbox.com/fullchain.pem
Compile it to a db using postmap (similar to vmailboxes). Note the -F option, which puts the value in base64, you won't be able to send if you don't use this!:

sudo postmap -F /etc/postfix/vcerts

Restart Postfix:

sudo systemctl restart postfix

Dovecot

Essentially in Dovecot, you are just going to add a block of configuration options for each service listener for each domain for the SSL services you use. I use IMAP and POP3, so I'm going to add a block for IMAPs (the secure variation) and the POP3s protocol. At the bottom of 10-ssl.conf I created local_name blocks with the protocol entries.

I'm not sure if this is the recommended approach, there appears to be a mix of ideas about it (depending on your version and setup environment). Each name block has a block for both secure protocols that point to the same SSL certificates:

Again, I've provided a couple of my domains so obviously substitute your own (make sure you keep the < character in the path, this tells dovecot you want to use the contents of the file)...

sudo nano /etc/dovecot/conf.d/10-ssl.conf 

local_name mail.benosborne.com {
	protocol imaps {
		ssl_cert = </etc/letsencrypt/live/benosborne.com/fullchain.pem
		ssl_key = </etc/letsencrypt/live/benosborne.com/privkey.pem
	}
	protocol pop3s {
		ssl_cert = </etc/letsencrypt/live/benosborne.com/fullchain.pem
		ssl_key = </etc/letsencrypt/live/benosborne.com/privkey.pem
	}	
}
local_name mail.blnk.co.uk {
	protocol imaps {
		ssl_cert = </etc/letsencrypt/live/blnk.co.uk/fullchain.pem
		ssl_key = </etc/letsencrypt/live/blnk.co.uk/privkey.pem
	}
	protocol pop3s {
		ssl_cert = </etc/letsencrypt/live/blnk.co.uk/fullchain.pem
		ssl_key = </etc/letsencrypt/live/blnk.co.uk/privkey.pem
	}
}
Restart dovecot to pick up the settings:

sudo systemctl restart dovecot




benosborne.com   |  Site Map
2025