diff --git a/src/certificates.js b/src/certificates.js
index 19e46af94..dfdb572f3 100644
--- a/src/certificates.js
+++ b/src/certificates.js
@@ -10,7 +10,8 @@ exports = module.exports = {
     ensureCertificate: ensureCertificate,
 
     setAdminCertificate: setAdminCertificate,
-    getAdminCertificatePath: getAdminCertificatePath,
+
+    getMailCertificate: getMailCertificate,
 
     renewAll: renewAll,
 
@@ -341,6 +342,22 @@ function getAdminCertificatePath(callback) {
     getFallbackCertificatePath(callback);
 }
 
+function getMailCertificate(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    getAdminCertificatePath(function (error, certFilePath, keyFilePath) {
+        if (error) return callback(error);
+
+        var cert = safe.fs.readFileSync(certFilePath);
+        if (!cert) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error));
+
+        var key = safe.fs.readFileSync(keyFilePath);
+        if (!cert) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error));
+
+        return callback(null, cert, key);
+    });
+}
+
 function ensureCertificate(app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
diff --git a/src/platform.js b/src/platform.js
index 4f9722905..0b149efc3 100644
--- a/src/platform.js
+++ b/src/platform.js
@@ -222,11 +222,12 @@ function startMail(callback) {
     const memoryLimit = Math.max((1 + Math.round(os.totalmem()/(1024*1024*1024)/4)) * 128, 256);
     const alertsFrom = 'no-reply@' + config.fqdn();
 
-    // TODO: watch for a signal here should the certificate path change. Note that haraka reloads
-    // config automatically if the contents of the certificate changes (eg, renawal).
-    certificates.getAdminCertificatePath(function (error, certFilePath, keyFilePath) {
+    certificates.getMailCertificate(function (error, cert, key) {
         if (error) return callback(error);
 
+        if (!safe.fs.writeFileSync(paths.DATA_DIR + '/addons/tls_cert.pem', cert)) return callback(new Error('Could not create cert file:' + safe.error.message));
+        if (!safe.fs.writeFileSync(paths.DATA_DIR + '/addons/tls_key.pem', key))  return callback(new Error('Could not create key file:' + safe.error.message));
+
         settings.getMailConfig(function (error, mailConfig) {
             if (error) return callback(error);
 
@@ -249,8 +250,8 @@ function startMail(callback) {
                             --memory-swap ${memoryLimit * 2}m \
                             -v "${dataDir}/box/mail:/app/data" \
                             -v "${dataDir}/mail:/run" \
-                            -v "${certFilePath}:/etc/tls_cert.pem:ro" \
-                            -v "${keyFilePath}:/etc/tls_key.pem:ro" \
+                            -v "${dataDir}/addons/tls_cert.pem:/etc/tls_cert.pem:ro" \
+                            -v "${dataDir}/addons/tls_key.pem:/etc/tls_key.pem:ro" \
                             -v "${dataDir}/addons/mail_vars.ini:/etc/mail.ini:ro" \
                             ${ports} \
                             --read-only -v /tmp ${tag}`;