All, Probably old news to most who run their own mail servers, but for years I simply used self-signed certs for mail and used Let's Encrypt for my web servers. Turns out it's trivial to use the same certs for both. The key is you need to have both an A and MX record for your mail host and then add that fqdn (Expand) your Let's Encrypt certificate to include the mail host fqdn. While most mail clients would simply allow you to add an exception for your annual change for self-signed certs, leave it to apple to make things difficult and complain. So tired of fighting with IOS, it was time to simply use a legitimate cert. (makes apple instantly happy, not reboots to clear cache or 3 forced mail checks is rapid succession to have it add a new exception) If you are interested, here are three links that tie it altogether. Note that different web-servers will have difference setups/processes for requesting your original or expended cert. (there is a manual method as well) https://serverfault.com/q/999409/332034 https://community.letsencrypt.org/t/how-to-add-mail-server-to-existing-certi... https://community.letsencrypt.org/t/dovecot-certificate/145441/9 Simple solution. The only change to dovecot.conf is to point it to the let's encrypt certs instead of self-signed. Should have taken the time to do this years ago when I did the web server. -- David C. Rankin, J.D.,P.E.