Hi, I'm running aaPanel with the Mail-Server plugin (postfix + dovecot + rspamd) alongside several websites. Each website's SSL cert (issued by aaPanel via Let's Encrypt) already includes its mail.<domain> hostname as a SAN, so the cert is technically valid for the mail-server too. Currently I manually copy the web cert ( /www/server/panel/vhost/cert/<domain>/fullchain.pem and privkey.pem ) into the mail cert directory ( /www/server/panel/plugin/mail_sys/cert/<domain>/ ) every time aaPanel auto-renews the web cert. This works, but it's a manual step. To avoid this, I'm considering replacing the mail cert directory with a symlink: /www/server/panel/plugin/mail_sys/cert/<domain> → /www/server/panel/vhost/cert/<domain> if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } That way, postfix and dovecot would always read the same cert files as nginx/Apache, and the Web-plugin's auto-renewal would propagate to mail automatically (postfix and dovecot both follow symlinks transparently when reading cert files). My questions: Has anyone tried this? Any pitfalls in production? Does the Mail-Server plugin ever write to mail_sys/cert/<domain>/ on its own (e.g. a scheduled task, an internal auto-renewal)? If yes, it could overwrite the web cert files via the symlink, which would be catastrophic for the website's HTTPS. I've checked the panel's crontabs and only see the web SSL auto-renew job ( acme_v2.py --renew_v3=1 ) - no equivalent for the mail plugin. Is that correct, or does the plugin renew certs via a different mechanism? If clicking "Apply SSL" inside the Mail-Server UI for a domain would replace the symlink/files, that's manageable (just don't click it). But are there any other code paths that might trigger a write? The Mail-Server plugin also manages dovecot's local_name blocks in /etc/dovecot/conf.d/10-ssl.conf and the tls_server_sni_maps entries in /etc/postfix/vmail_ssl.map - both pointing to the mail_sys/cert/<domain>/ paths, which a symlink would resolve transparently. So no config changes should be needed there. Setup details: aaPanel 8.0.2 Mail-Server plugin version 7.4.1 OS: Ubuntu 24.04.4 LTS 9 domains, each with own website + mail-domain configured Thanks for any insights, especially from anyone who's run this setup for an extended period across auto-renewal cycles. JoPhi

Symlinking Mail-Server SSL cert dir to Web SSL cert dir - safe?

ta_ihpoj1jophi_at

Hi,

I'm running aaPanel with the Mail-Server plugin (postfix + dovecot + rspamd) alongside several websites. Each website's SSL cert (issued by aaPanel via Let's Encrypt) already includes its mail.<domain> hostname as a SAN, so the cert is technically valid for the mail-server too.

Currently I manually copy the web cert (/www/server/panel/vhost/cert/<domain>/fullchain.pem and privkey.pem) into the mail cert directory (/www/server/panel/plugin/mail_sys/cert/<domain>/) every time aaPanel auto-renews the web cert. This works, but it's a manual step.

To avoid this, I'm considering replacing the mail cert directory with a symlink:

/www/server/panel/plugin/mail_sys/cert/<domain>  →  /www/server/panel/vhost/cert/<domain>

That way, postfix and dovecot would always read the same cert files as nginx/Apache, and the Web-plugin's auto-renewal would propagate to mail automatically (postfix and dovecot both follow symlinks transparently when reading cert files).

My questions:

Has anyone tried this? Any pitfalls in production?
Does the Mail-Server plugin ever write to mail_sys/cert/<domain>/ on its own (e.g. a scheduled task, an internal auto-renewal)? If yes, it could overwrite the web cert files via the symlink, which would be catastrophic for the website's HTTPS.
I've checked the panel's crontabs and only see the web SSL auto-renew job (acme_v2.py --renew_v3=1) - no equivalent for the mail plugin. Is that correct, or does the plugin renew certs via a different mechanism?
If clicking "Apply SSL" inside the Mail-Server UI for a domain would replace the symlink/files, that's manageable (just don't click it). But are there any other code paths that might trigger a write?

The Mail-Server plugin also manages dovecot's local_name blocks in /etc/dovecot/conf.d/10-ssl.conf and the tls_server_sni_maps entries in /etc/postfix/vmail_ssl.map - both pointing to the mail_sys/cert/<domain>/ paths, which a symlink would resolve transparently. So no config changes should be needed there.

Setup details:

aaPanel 8.0.2
Mail-Server plugin version 7.4.1
OS: Ubuntu 24.04.4 LTS
9 domains, each with own website + mail-domain configured

Thanks for any insights, especially from anyone who's run this setup for an extended period across auto-renewal cycles.

JoPhi

aaPanel_Kern

Hello,

It is recommended that you deploy the SSL certificate on the domain interface directly to the mail server
it will update automatically

ta_ihpoj1jophi_at

So, it is taking the available certificate from the corresponding web automatically if available? With correct domain name for the mail server (not the Hostname of the server)?

aaPanel_Kern

Renew based on how you use certificate verification
If it is manually verified, renewal is not supported.

ta_ihpoj1jophi_at

aaPanel_Kern Cool, that's a feature, so I can do my workaround with symlinks (everything is manual)