I think there is a bug in the configuration for the mail server rebuild.
Specifically, the configuration file is being built with the appropriate hostname ssl certificate. However, maybe this is intended, the configuration files does this:
ssl = yes
ssl_cert = </etc/pki/tls/certs/hostname.tld.crt
ssl_key = </etc/pki/tls/private/hostname.tld.key
ssl_verify_client_cert = no
ssl_ca =
The builtin SSL generator however produces files here:
/etc/pki/tls/certs/hostname.tld.crt
/etc/pki/tls/certs/hostname.tld.key (The SSL generates into the certs folder, not the private folder)
Is this intentional? if so it means manually moving the key file to the private folder so that the configuration pics it up.
Otherwise it could simply use the certs folder that the SSL generator produces the files into.
Anyway, just a though, if the recommended process is to move the key to the private folder, then can the SSL generator place it there itself?
In /etc/pki/tls/openssl.cnf I find where it states to place the generated cert files, but it does not separate the .key file on any particular line.