Failed to start Dovecot after add ssl certificate

Discussion in 'Installation/Configuration' started by Frédéric URBANIAK, May 9, 2022.

  1. Hello,
    sorry for my bad english, i'm french ;)

    I followed the tutorial
    I'm blocked just after the step 2 "Replacing the certificate with the Let's Encrypt certificate"
    When i want to restart dovecot i have error

    [email protected]:/etc/postfix# systemctl restart dovecot
    Job for dovecot.service failed because the control process exited with error code.
    See "systemctl status dovecot.service" and "journalctl -xe" for details.

    [email protected]:/etc/postfix# systemctl status dovecot
    * dovecot.service - Dovecot IMAP/POP3 email server
    Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
    Active: failed (Result: exit-code) since Mon 2022-05-09 08:14:27 UTC; 2min 54s ago
    Docs: man:dovecot(1)
    Process: 20045 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
    Process: 20216 ExecStart=/usr/sbin/dovecot (code=exited, status=89)
    Main PID: 237 (code=exited, status=0/SUCCESS)

    May 09 08:14:27 ip107 systemd[1]: Starting Dovecot IMAP/POP3 email server...
    May 09 08:14:27 ip107 dovecot[20216]: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 7: ssl_cert: Can't open file /etc/postfix/smtpd.cert: No such file or directory
    May 09 08:14:27 ip107 systemd[1]: dovecot.service: Control process exited, code=exited status=89
    May 09 08:14:27 ip107 systemd[1]: Failed to start Dovecot IMAP/POP3 email server.
    May 09 08:14:27 ip107 systemd[1]: dovecot.service: Unit entered failed state.
    May 09 08:14:27 ip107 systemd[1]: dovecot.service: Failed with result 'exit-code'.
    You have new mail in /var/mail/root

    But when i verify in /etc/postfix i have smtpd.cert

    Can you help me please?
  2. the files smtp.cert and smtpd.key are empty...
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig creates its own le cert automatically at install time since ISPConfig 3.2, so it's not recommended to use this guide anymore on ISPConfig 3.2 onwards. In case the cert creation failed at install time due to an invalid hostname setup, then rerun the ispconfig update with --force option and let ISPConfig create a new LE cert.
  4. ln -s /root/ smtpd.cert
    ln -s /root/ smtpd.key
    i haven't /root/ directory
  5. When i checked with it's ok after create new domain
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you have a directory /etc/letsencrypt/ ?
  7. When i have create my siteweb and mails i have create on the same domain as but i have'nt create
    But i use certificate who are not the good. On my other domains, it's the same certificate who is asset.
    i have problems with and who blocked me. Gmail place my mails on spam.
    How to use correctly mails ? i must to create new mail on and replace ? can i deplace old mails on the new box?
  8. yes
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, then the guide is not compatible with your setup at all, you should have used the builtin way from ISPConfig installer to generate the SSL cert. the guide is for recent setups that use

    To fix your setup, you must find the SSL cert and key in /etc/letsenccrypt/live/ folder and link the SSL config to these files instead.
    Frédéric URBANIAK likes this.
  10. sorry but i'm not very good.
    my setup is like this:
    website :
    email domain :
    email : [email protected]
    DNS record : MX 10 3600
    A mail 0 3600

    this config is the same on my differents domains.

    How to configure with ssl mail with good certificat for each box ?

    If in understand i must create website with ssl let's encrypt, but after i'm in the fog.
    I don't want to lose my mail data, just get an ssl certificate for my mailboxes.
    Should I recreate the mailboxes on the new domain and move the data?
  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  12. thanks for your reply but i'm not sure to understand all of directives

    my setup :
    websites :,,
    email domain :,,
    email : [email protected], [email protected], [email protected], [email protected] ...etc
    DNS record : MX 10 3600; A mail 0 3600

    MX 10 3600; A mail 0 3600
    MX 10 3600; A mail 0 3600

    for the moment, all mailboxes use the same certificat ssl who is wrong, i must forced on messaging software the certificat.
    outlook and hotmail blocked all mail adress, Gmail accept but push all mails in spam directory

    can i keep my mailboxes or i must to create new mailboxes on a new domain?
    i must remove MX DNS record on ? and add MX DNS record on ?
    can i use, and or only one?
    sorry for this questions but it's confused for me
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    All MX records should point to, which would be the hostname of your mailserver. And you should have a valid SSL cert for that hostname.

    Your end users connect to, or and, where is your main domain (so not the customer domains).

    And you can add a valid SSL cert as explained in that guide.
    Frédéric URBANIAK likes this.
  14. i can keep actualy mailboxes?
    i must change MX record like this for customer domains?
    MX 10 3600 ?
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  16. the customers can continue to use on messaging software or they must change to ?
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  18. it's good for certificate ssl with mx dns record and on my messaging software, now i haven't error message for certificat.
    But gmail send always my mails in spam :( and block already my sent
    <[email protected]>: host[] said: 550 5.7.1
    Unfortunately, messages from [my.ip.ser.ver] weren't sent. Please contact
    your Internet service provider since part of their network is on our block
    list (S3150). You can also refer your provider to
    [] (in reply to MAIL
    FROM command)

    I sent a request a few days ago here is their response

    We have completed reviewing the IP(s) you submitted. The following table contains the results of our investigation.

    Not qualified for mitigation
    Our investigation has determined that the above IP(s) do not qualify for mitigation.

    Please ensure your emails comply with the policies, practices and guidelines found here:

    To have Deliverability Support investigate further, please reply to this email with a detailed description of the problem you are having, including specific error messages, and an agent will contact you.

    Regardless of the deliverability status, recommends that all senders join two free programs that provide visibility into the traffic on your sending IP(s), the sending IP reputation with and the user complaint rates.

    Junk Email Reporting program (JMRP) When an user marks an email as "junk", senders enrolled in this program get a copy of the mail forwarded to the email address of their choice. It allows senders to see which mails are being marked as junk and to identify mail traffic you did not intend to send. To join, please visit

    Smart Network Data Services program (SNDS). This program allows you to monitor the ‘health’ and reputation of your registered IPs by providing data about traffic such as mail volume and complaint rates seen originating from your IPs. To register, please visit

    There is no silver bullet to maintaining or improving good IP reputation, but these programs help you proactively manage your email eco-system to help better ensure deliverability to users.

    Thank you, Deliverability Support
  19. after contact ovh i must send form to microsoft to deblock the situation ;)
    but for gmail have you a solution for mails who go directly in spams?
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Regarding email from outlook and, this is the normal response, I've never seen them admit that there is a problem in the first attempt of contacting them. Double-check that your setup is correct and then contact them again by answering the mail as the email suggests. But that's a completely different topic and not related to the SSL issue you opened the thread for. Using a central SSL cert is recommended and does not cause any deliverability problems, all larger mail systems do that.
    Frédéric URBANIAK likes this.

Share This Page