Server certificate has two functions: to encrypt data, and confirm, that your server is "whoever it says it is".
Self-signed certificates will work, but they will be not enough for servers, communicating with your server. They will need to be sure, that your server is who it claims to be, and your server claims to be whatever is the value of the Local Host field at Settings - Options - General.. It should be a fully qualified domain name, something like mail.mydomain.com.
The same name, mail.mydomain.com, should be given to users as SMTP, IMAP (or POP3) server address and the same name should be listed as an MX record for domains your server serves.
We will need to obtain a certificate associated with the identity of your server, mail.mydomain.com. And, we should understand, that identity of our server has nothing to do with the domains it serves, domains, listed on the Domains & Users tab on your Mail Server UI.
There are multiple ways of obtaining the certificate. We will give an example of doing it at ssls.com.
Let's assume, we are ordering the certificate for mail.mydomain.com. Before we begin, we will have to ensure that the account firstname.lastname@example.org exists, and is accessible, because we will need to prove to SSL, that the domain mydomain.com belongs to us. An email will be sent to that address, and we will need to follow instructions there to validate that we own the domain.
Certutil -mergepfx mail_mydomain_com.crt mail_mydomain_com.pfxYou will be prompted to create a password, and confirm it;