Thanks. Is there another way of doing this? I've got a web server running on 80 and 443. Are there any other options?
I'm getting this list in digest mode, so it's possible by the time this gets to you, I will have repeated someone else' suggestion.
In this situation, where your dovecot server lives on the same host as a web server (wembail?), and this web server is already going certificate renewal, then just change the certificate to use SNI extension and add all LS services that live on this host. (This does not count as a cert renewal, but a new cert).
(E.g. if you are using a certbot to get a certifiticate for "webmail.mydomain", then add "pop3.mydomain", "imap.mydomain" and "smtp.mydomain" to the certificate.)
Your web server will have to virtually host those domains for the purposes of mapping the token pickup folder. Then you can use the same certificate for all TLS services hosted on that server.
Joseph Tam jtam.home@gmail.com