diff --git a/templates/etc/postfix/main.cf.j2 b/templates/etc/postfix/main.cf.j2
index b7816e7..4b536be 100644
--- a/templates/etc/postfix/main.cf.j2
+++ b/templates/etc/postfix/main.cf.j2
@@ -748,13 +748,21 @@ readme_directory = /usr/share/doc/postfix/README_FILES
 # in PEM format. Intermediate certificates should be included in general,
 # the server certificate first, then the issuing CA(s) (bottom-up order).
 #
+{% if postfix_mydestination is defined %}
+smtpd_tls_cert_file = /etc/lego/certificates/{{ postfix_myhostname }}.crt
+{% else %}
 smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
+{% endif %}
 
 # The full pathname of a file with the Postfix SMTP server RSA private key
 # in PEM format. The private key must be accessible without a pass-phrase,
 # i.e. it must not be encrypted.
 #
+{% if postfix_mydestination is defined %}
+smtpd_tls_key_file = /etc/lego/certificates/{{ postfix_myhostname }}.key
+{% else %}
 smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
+{% endif %}
 
 # Announce STARTTLS support to remote SMTP clients, but do not require that
 # clients use TLS encryption (opportunistic TLS inbound).
@@ -770,7 +778,11 @@ smtp_tls_CApath = /etc/pki/tls/certs
 # trusted to sign either remote SMTP server certificates or intermediate CA
 # certificates.
 #
+{% if postfix_mydestination is defined %}
+smtp_tls_CAfile = /etc/lego/certificates/{{ postfix_myhostname }}.issuer.crt
+{% else %}
 smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+{% endif %}
 
 # Use TLS if this is supported by the remote SMTP server, otherwise use
 # plaintext (opportunistic TLS outbound).
@@ -780,6 +792,7 @@ meta_directory = /etc/postfix
 shlib_directory = /usr/lib64/postfix
 {% else %}
 readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
+{% endif %}
 {% if postfix_mydestination is defined %}
 
 # Taille mail
@@ -807,10 +820,12 @@ tls_random_source = dev:/dev/urandom
 tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
 #tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
 
+{% if ansible_os_family == "RedHat" and ansible_distribution_major_version < '8' %}
 smtpd_tls_security_level = may
 smtpd_tls_key_file = /etc/lego/certificates/{{ postfix_myhostname }}.key
 smtpd_tls_cert_file = /etc/lego/certificates/{{ postfix_myhostname }}.crt
 smtpd_tls_CAfile = /etc/lego/certificates/{{ postfix_myhostname }}.issuer.crt
+{% endif %}
 smtpd_tls_loglevel = 1
 smtpd_tls_session_cache_timeout = 3600s
 smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
@@ -878,4 +893,3 @@ smtpd_recipient_restrictions =
 #    reject_rbl_client bl.spamcop.net,
     permit
 {% endif %}
-{% endif %}