/etc/dovecot/private:
  file.directory:
    - mode: 700
    - require:
      - pkg: dovecot

/etc/dovecot/private/fullchain.pem:
  file.managed:
    - mode: 400
    - contents_pillar: env:certs:host:{{ pillar['vmail']['server_name'] }}:fullchain.pem
    - require:
      - file: /etc/dovecot/private
    - watch_in:
      - service: dovecot
      - service: postfix

/etc/dovecot/private/privkey.pem:
  file.managed:
    - mode: 400
    - contents_pillar: env:certs:host:{{ pillar['vmail']['server_name'] }}:privkey.pem
    - require:
      - file: /etc/dovecot/private
    - watch_in:
      - service: dovecot
      - service: postfix