Certificate rate limits for alias domains

iggydob

Hello community,
I’m planning ahead for scaling my Mailcow setup and would appreciate your insights on certificate management and alias domain configuration.

My current setup:

Main domain: example.com with a single mailbox mainuser@example.com
₁₀ alias domains (planning to scale to 100+)
Alias domains have these DNS records: DKIM, SPF, DMARC, TLSA, PTR, A, AAAA
No autodiscover/autoconfig records for alias domains (intentionally)
All alias mailboxes point to main domain mailboxes (e.g., user@aliasdomain.com → mainuser@example.com)
Outgoing mail uses alias addresses as sender while authenticating through mail.example.com

When checking /var/lib/acme/mail.example.com in the ACME container, I only see certificate details for example.com, not the alias domains.

Since I’m not using autodiscover/autoconfig for alias domains, are these domains excluded from Let’s Encrypt certificate requests? Will this help me avoid rate limit issues when scaling to 100+ domains? Am I correctly avoiding unnecessary certificate generation?
Is it secure to NOT have autodiscover/autoconfig DNS records for alias domains?

Currently everything works well, but I want to ensure I’m following best practices before scaling up. Thanks in advance for your help!

ETNyx

Well check the docs

iggydob Since I’m not using autodiscover/autoconfig for alias domains, are these domains excluded from Let’s Encrypt certificate requests?

right at start of docs:

For each domain you add, it will try to resolve autodiscover.ADDED_MAIL_DOMAIN and autoconfig.ADDED_MAIL_DOMAIN to its IPv6 address or - if IPv6 is not configured in your domain - IPv4 address. If it succeeds, a name will be added as SAN to the certificate request.

iggydob Will this help me avoid rate limit issues when scaling to 100+ domains?

Well you are planing to scale over 100 domain so nothing but allow SNI will help in your goal. (Unless Let’s encrypt change it’s rules or MC change provider or you setup own certificate provider).

iggydob Am I correctly avoiding unnecessary certificate generation?

This is wrong question, unless you allow SNI than you have only one certificate so no unnecessary certificate generation are in place and when you allow SNI one would assumed you need it,..

iggydob Is it secure to NOT have autodiscover/autoconfig DNS records for alias domains?

This is not question of security but question of user experience.

Edit: most-likely, I was wrong about avoid 100+ domains issue, if you will not use autoconfig and autodiscover than you are not generating alternative names into your certificate, than you will not hit this 100 domains alt name limit,..

iggydob

Thank you @ETNyx for the detailed response! Based on the explanation, I understand that since I’m not using autodiscover/autoconfig for alias domains, they won’t be added as SANs to the certificate request, hence no need for setting ENABLE_SSL_SNI=y in mailcow.conf and a single certificate just for my main domain is sufficient.