class mail::tls {
  # TLS
  postfix::config { "smtpd_tls_cert_file":      value => '/etc/ssl/certs/cert.crt' }
  postfix::config { "smtpd_tls_key_file":       value => '/etc/ssl/private/cert.pem' }
  postfix::config { "smtpd_tls_CApath":         value => '/etc/ssl/certs' }
  postfix::config { "smtp_tls_CApath":          value => '/etc/ssl/certs' }
  postfix::config { "smtpd_tls_security_level": value => 'may' }
  postfix::config { "smtp_tls_security_level":  value => 'may' }

  $mail_virtual = hiera('mail::virtual', false)

  # SSL certificate
  ssl::cert { "${::domain}":
    group    => 'postfix',
    privmode => '0640',
    main     => true,
    notify   => $mail_virtual ? {
      false   => Service['postfix'],
      default => Service['postfix', 'dovecot'],
    }
  }
}