Separate tls key/cert options for imap, submission and smtp

defaults/main.yml

@@ -1,6 +1,10 @@
 mailserver:
-  tls_cert: "/etc/ssl/{{ inventory_hostname }}.chain.crt"
+  smtp_tls_cert: "/etc/ssl/{{ inventory_hostname }}.chain.crt"
-  tls_key: "/etc/ssl/private/{{ inventory_hostname }}.key"
+  smtp_tls_key: "/etc/ssl/private/{{ inventory_hostname }}.key"
+  submission_tls_cert: "/etc/ssl/{{ inventory_hostname }}.chain.crt"
+  submission_tls_key: "/etc/ssl/private/{{ inventory_hostname }}.key"
+  imap_tls_cert: "/etc/ssl/{{ inventory_hostname }}.chain.crt"
+  imap_tls_key: "/etc/ssl/private/{{ inventory_hostname }}.key"
   domains: [] # All mail domains
   postfix:
     metrics_address: "127.0.0.1:9154"

templates/dovecot/dovecot.conf.j2

@@ -3,8 +3,8 @@ protocols = imap sieve
 mail_plugins = $mail_plugins quota
 
 ssl = required
-ssl_cert = <{{ mailserver.tls_cert }}
+ssl_cert = <{{ mailserver.imap_tls_cert }}
-ssl_key = <{{ mailserver.tls_key }}
+ssl_key = <{{ mailserver.imap_tls_key }}
 ssl_dh = </etc/ssl/dh-4096.pem
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

templates/postfix/main.cf.j2

@@ -2,10 +2,8 @@ compatibility_level = 3.7
 
 # Sane defaults
 biff = no
-# TODO: v why? v
 append_dot_mydomain = no
 local_header_rewrite_clients = permit_inet_interfaces permit_sasl_authenticated
-# TODO: v why? v
 readme_directory = no
 smtpd_helo_required = yes
 strict_rfc821_envelopes = yes
@@ -62,8 +60,10 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mydestination = {{ inventory_hostname_short }} {{ inventory_hostname }} localhost
 
 # TLS parameters
-smtpd_tls_cert_file = {{ mailserver.tls_cert }}
+smtpd_tls_cert_file = {{ mailserver.smtp_tls_cert }}
-smtpd_tls_key_file = {{ mailserver.tls_key }}
+smtpd_tls_key_file = {{ mailserver.smtp_tls_key }}
+mua_tls_cert_file = {{ mailserver.submission_tls_cert }}
+mua_tls_key_file = {{ mailserver.submission_tls_key }}
 smtpd_use_tls = yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

templates/postfix/master.cf.j2

@@ -17,6 +17,8 @@ smtp      inet  n       -       y       -       -       smtpd
 submission inet n       -       y       -       -       smtpd
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_cert_file=$mua_tls_cert_file
+  -o smtpd_tls_key_file=$mua_tls_key_file
   -o syslog_name=postfix/submission
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_reject_unlisted_recipient=no