Introduction

Mail servers use TLS certificates to encrypt SMTP connections (STARTTLS on port 587 or SMTPS on port 465). When the mail server's certificate expires, email clients and other mail servers may refuse to connect, or connections may fall back to unencrypted transmission. This compromises email security and can cause complete mail delivery failures for strict clients.

Symptoms

  • Email clients show Certificate has expired warning when connecting to SMTP
  • Mail delivery fails with TLS handshake failed or certificate verify failed
  • Some clients connect but show security warnings about expired certificates
  • Server-to-server mail delivery fails with TLS required but certificate expired
  • Error message: STARTTLS failed: certificate has expired

Common Causes

  • Mail server SSL certificate expired and auto-renewal did not execute
  • Let's Encrypt certificate renewal failed due to DNS or webroot issues
  • Self-signed certificate was never replaced with a valid CA-signed certificate
  • Certificate was replaced but the mail server was not restarted to load the new one
  • Mail server using a shared certificate that expired for a different domain

Step-by-Step Fix

  1. 1.Check the mail server certificate expiration: Verify the certificate status.
  2. 2.```bash
  3. 3.openssl s_client -connect mail.example.com:587 -starttls smtp </dev/null 2>/dev/null | openssl x509 -noout -dates -subject
  4. 4.# Check if the 'notAfter' date is in the past
  5. 5.`
  6. 6.Renew or replace the expired certificate: Obtain a new certificate.
  7. 7.```bash
  8. 8.# For Let's Encrypt with Certbot
  9. 9.certbot certonly --standalone -d mail.example.com
  10. 10.# Or request a new certificate from your CA

# Copy the new certificate to the mail server cp /etc/letsencrypt/live/mail.example.com/fullchain.pem /etc/postfix/ssl/cert.pem cp /etc/letsencrypt/live/mail.example.com/privkey.pem /etc/postfix/ssl/key.pem ```

  1. 1.Restart the mail server to load the new certificate: Apply the new certificate.
  2. 2.```bash
  3. 3.# For Postfix
  4. 4.systemctl restart postfix
  5. 5.# For Exim
  6. 6.systemctl restart exim4
  7. 7.# For Dovecot (IMAP/POP3)
  8. 8.systemctl restart dovecot
  9. 9.`
  10. 10.Verify the new certificate is being served: Confirm the fix.
  11. 11.```bash
  12. 12.openssl s_client -connect mail.example.com:587 -starttls smtp </dev/null 2>/dev/null | openssl x509 -noout -dates
  13. 13.# Should show the new certificate's validity period
  14. 14.`
  15. 15.Configure automatic certificate renewal: Prevent future expirations.
  16. 16.```bash
  17. 17.# Certbot auto-renewal with post-hook for mail server restart
  18. 18.crontab -e
  19. 19.0 3 * * * certbot renew --post-hook "systemctl restart postfix dovecot"
  20. 20.`

Prevention

  • Monitor mail server certificate expiration dates and alert 30 days before expiry
  • Configure automatic certificate renewal with post-hooks to restart mail services
  • Use short-lived certificates (90 days) with automated renewal
  • Test certificate renewal in staging before the production certificate expires
  • Include mail server certificate checks in regular infrastructure audits
  • Use certificate transparency monitoring to detect unexpected certificate changes