bg-tutorials

How to Install an ACME SSL Certificate on Mail Servers

In this guide, you’ll learn how to install an ACME SSL certificate on mail servers, specifically Postfix, Dovecot, and optionally Exim, using commercial providers that support ACME + EAB. We’ll use acme.sh to register your ACME account, issue a certificate for your mail hostname, and then plug that certificate directly into your mail server’s TLS configuration.

Mail Servers ACME SSL

This guide assumes a Linux-based mail server and a commercial CA that provides an ACME directory URL along with EAB credentials (Key ID + HMAC). Because mail environments differ across distributions and hosting setups, treat this as a clear, reliable blueprint, but always check your own server’s paths, service names, and TLS settings as you go.


Before You Start

You’ll have a much smoother time if these basics are ready:

  • A mail hostname, e.g. mail.example.com, with an A/AAAA record pointing to your mail server
  • Your MX record pointing to that hostname (common setup)
  • Shell/SSH access to the mail server with sudo or root
  • A commercial CA account that provides an ACME directory URL (e.g. https://acme.yourca.com/v2/acme), EAB Key ID and EAB HMAC key
  • Mail stack: Postfix/Exim for SMTP and Dovecot for IMAP/POP3

We’ll use DNS-01 validation because it works even when your mail server doesn’t run a public website and is often preferred in production.


Step 1: Install acme.sh on the Mail Server

You’ll install the ACME client directly on the mail server so it can renew certificates and write them to disk where Postfix/Dovecot/Exim can read them.

On the mail server:

curl https://get.acme.sh | sh
source ~/.bashrc
acme.sh --version

If you see a version number, the client is installed and ready. If the source ~/.bashrc line doesn’t work, log out and back in, then run acme.sh --version again.


Step 2: Register Your ACME Account (with EAB)

Next, you need to register your ACME account with your commercial CA using the EAB credentials from their panel. acme.sh supports EAB via --eab-kid and --eab-hmac-key.

Run this on the mail server:

acme.sh --register-account \
  --server https://acme.yourca.com/v2/acme \
  --eab-kid YOUR_EAB_KID \
  --eab-hmac-key YOUR_EAB_HMAC_KEY \
  --accountemail [email protected]

Replace:

  • https://acme.yourca.com/v2/acme with your CA’s ACME directory URL
  • YOUR_EAB_KID with the Key ID
  • YOUR_EAB_HMAC_KEY with the HMAC key
  • [email protected] with your real admin email for expiry notices

You do this once per account. If the command fails, it’s almost always a typo in the URL or EAB values.


Step 3: Issue the Certificate via DNS-01

Now you request a certificate for the hostname your users will connect to, e.g. mail.example.com (or imap.example.com, smtp.example.com. Just pick the one you actually use in client configs).

Issue the cert (manual DNS)

Run:

acme.sh --issue \
  -d mail.example.com \
  --dns dns_manual \
  --server https://acme.yourca.com/v2/acme

--dns dns_manual tells acme.sh you’ll add TXT records manually in your DNS panel.

The client will output something like:

Please add a TXT record:
_acme-challenge.mail.example.com → some-long-token-value

Add the TXT record

In your DNS provider’s panel, create a TXT record:

  • Name: _acme-challenge.mail.example.com
  • Value: the token shown by acme.sh

Wait a few minutes for DNS to propagate, then verify with:

dig TXT _acme-challenge.mail.example.com +short

If you see the token there, run the acme.sh --issue command again to complete validation. When it succeeds, acme.sh stores your files under ~/.acme.sh/mail.example.com/.

Inside that directory you’ll have at least:

  • fullchain.cer – certificate plus intermediate chain
  • mail.example.com.key – private key
  • ca.cer – CA certs (if your CA provides it separately)

We’ll use these in the next steps.


Step 4: Configure Postfix to Use the ACME Certificate (SMTP)

Postfix needs to know where your new certificate and key reside. TLS in Postfix is controlled by options like smtpd_tls_cert_file and smtpd_tls_key_file.

First, copy the files to a stable location, for example:

sudo mkdir -p /etc/ssl/mail
sudo cp ~/.acme.sh/mail.example.com/fullchain.cer /etc/ssl/mail/mail-fullchain.cer
sudo cp ~/.acme.sh/mail.example.com/mail.example.com.key /etc/ssl/mail/mail.key
sudo chown root:root /etc/ssl/mail/*
sudo chmod 600 /etc/ssl/mail/mail.key

Then tell Postfix to use them:

sudo postconf -e 'smtpd_use_tls = yes'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/mail/mail-fullchain.cer'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/mail/mail.key'
sudo postconf -e 'smtp_tls_security_level = may'
  • smtpd_* settings control incoming mail (clients sending mail to you)
  • smtp_* settings control outgoing mail (your server sending mail to others)

Apply the changes:

sudo systemctl restart postfix

If your distro still uses service, adjust the command accordingly.


Step 5: Configure Dovecot to Use the ACME Certificate (IMAP/POP3)

Dovecot handles IMAP and POP3. You configure TLS by pointing ssl_cert and ssl_key at the same files we just prepared.

Open Dovecot’s SSL config:

sudo nano /etc/dovecot/conf.d/10-ssl.conf

Update (or add) these lines:

ssl = yes
ssl_cert = </etc/ssl/mail/mail-fullchain.cer
ssl_key  = </etc/ssl/mail/mail.key

Save the file and reload Dovecot:

sudo systemctl restart dovecot

Now IMAP/POP3 over TLS will present the same commercial ACME certificate.


Optional: Use the Same Cert in Exim

If you use Exim as your mail server instead of Postfix, the integration is similar. Exim uses tls_certificate and tls_privatekey options for TLS.

In your Exim configuration (path depends on distro, often /etc/exim4/exim4.conf.template or split config under /etc/exim4/conf.d/), set:

tls_certificate = /etc/ssl/mail/mail-fullchain.cer
tls_privatekey  = /etc/ssl/mail/mail.key

Then reload Exim:

sudo systemctl restart exim4

Check your distribution pacakge docs if the service name is slightly different.


Step 6: Test Your Mail TLS

You can test from any other machine that has OpenSSL installed.

Test SMTP (Postfix or Exim)

openssl s_client -starttls smtp -connect mail.example.com:587 -showcerts

Test IMAP (Dovecot)

openssl s_client -starttls imap -connect mail.example.com:143 -showcerts

If the output shows your commercial CA and the hostname matches, you’re good.


Step 7: Keep Renewal and Reload Automated

acme.sh already installs a cron job that checks for renewals daily. When your cert is close to expiry, it will renew automatically and update the files in ~/.acme.sh/mail.example.com/.

To make Postfix/Dovecot/Exim always use the latest version, you have two options:

  1. Point configs directly at the files in ~/.acme.sh/mail.example.com/
    (e.g. smtpd_tls_cert_file = /root/.acme.sh/mail.example.com/fullchain.cer) and ensure only root can read them.
  2. Write a small deploy script that copies the renewed files into /etc/ssl/mail/ and restarts or reloads the server.

Example of a script:

#!/usr/bin/env bash
DOMAIN="mail.example.com"
SRC="$HOME/.acme.sh/$DOMAIN"
DEST="/etc/ssl/mail"

sudo cp "$SRC/fullchain.cer" "$DEST/mail-fullchain.cer"
sudo cp "$SRC/$DOMAIN.key"   "$DEST/mail.key"
sudo chown root:root "$DEST/"*
sudo chmod 600 "$DEST/mail.key"

sudo systemctl restart postfix dovecot

This script copies the newly issued ACME certificate and private key into your server’s mail SSL directory, sets the correct ownership and permissions, and then restarts Postfix and Dovecot so they immediately begin using the updated certificate. Use your credentials instead of the placeholders.

Then wire it into acme.sh:

acme.sh --install-cert -d mail.example.com \
  --key-file       ~/.acme.sh/mail.example.com/mail.example.com.key \
  --fullchain-file ~/.acme.sh/mail.example.com/fullchain.cer \
  --reloadcmd "/path/to/your/deploy-script.sh"

From here on, renewals occur automatically.


Common Questions & Troubleshooting

A few issues may come when you do this the first time. Here’s how to deal with them quickly.

Why does ACME validation fail with “unauthorized” or “invalid response”?

This happens when the CA can’t verify your DNS TXT record. Check that:

  • The TXT record is exactly _acme-challenge.mail.example.com
  • The token has no extra quotes or spaces
  • DNS has propagated (dig TXT _acme-challenge.mail.example.com +short)
  • You didn’t mix up mail.example.com with example.com

If unsure, delete the TXT record, re-run acme.sh --issue, and re-add the exact value ACME gives you.

Why am I getting “accountDoesNotExist” or EAB-related errors?

These appear when your ACME account registration doesn’t match the EAB credentials from your CA.

Fix by:

  • Re-checking the ACME directory URL (production vs staging)
  • Ensuring Key ID and HMAC are copied exactly, with no hidden spaces
  • Re-running the registration command once with correct values

Commercial CAs reject any EAB registration that doesn’t match their issued profile.

Why does SMTP/IMAP still show the old certificate?

This means the service didn’t reload the new cert or is reading from a different path. Check:

  • TLS paths in Postfix/Dovecot/Exim match the actual files
  • You restarted the correct service (systemctl restart postfix dovecot exim4)
  • No second instance, container, or proxy is serving the old cert

You can verify the live certificate using:

openssl s_client -connect mail.example.com:465 -servername mail.example.com

Final Words

With this setup, your mail server presents a proper commercial ACME certificate to SMTP and IMAP/POP3 clients, while acme.sh quietly handles renewals in the background. You keep full control over the certificate chain and filenames, your users stop seeing security warnings, and you don’t have to log in every few months to upload new files by hand.

Once you’ve done it once, you can repeat the same pattern for other hostnames, secondary MX servers, or additional mail stacks using the same ACME account and process.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.