Separate tls key/cert options for imap, submission and smtp

templates/postfix/main.cf.j2

@@ -2,10 +2,8 @@ compatibility_level = 3.7
 
 # Sane defaults
 biff = no
-# TODO: v why? v
 append_dot_mydomain = no
 local_header_rewrite_clients = permit_inet_interfaces permit_sasl_authenticated
-# TODO: v why? v
 readme_directory = no
 smtpd_helo_required = yes
 strict_rfc821_envelopes = yes
@@ -62,8 +60,10 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mydestination = {{ inventory_hostname_short }} {{ inventory_hostname }} localhost
 
 # TLS parameters
-smtpd_tls_cert_file = {{ mailserver.tls_cert }}
-smtpd_tls_key_file = {{ mailserver.tls_key }}
+smtpd_tls_cert_file = {{ mailserver.smtp_tls_cert }}
+smtpd_tls_key_file = {{ mailserver.smtp_tls_key }}
+mua_tls_cert_file = {{ mailserver.submission_tls_cert }}
+mua_tls_key_file = {{ mailserver.submission_tls_key }}
 smtpd_use_tls = yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

templates/postfix/master.cf.j2

@@ -17,6 +17,8 @@ smtp      inet  n       -       y       -       -       smtpd
 submission inet n       -       y       -       -       smtpd
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_cert_file=$mua_tls_cert_file
+  -o smtpd_tls_key_file=$mua_tls_key_file
   -o syslog_name=postfix/submission
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_reject_unlisted_recipient=no