Last week our TLS certificate expired. In addition for a new certificate a larger key-pair was needed. When we received the new certificate we tried to configure the new certificate using the secure port 9010.  However, halfway the procedure, the old certificate disappeared and the new one was not yet present. So, we had to fall back to the insecure port 8010 to complete the configuration of the new certificate.
We are unhappy with this for two reasons, first because now there has been a short period in which the mail server was not accessible in a secure way and, second, because we are a bit worried to have to enter sensitive information (authentication) with a insecure connection.

Probably, we did not follow the right procedure. From the documentation it is not clear to us how we can keep using a secure connection when updating key-pairs and certificate. Is it possible to enter them in advance a specify a time when they will be activated? I hope someone can enlighten us about the correct procedure.