It says not to do that here:
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-postfix-e-mail-server-with-dovecot
My question is: why not?
Also, another question, how does one ensure that a certificate is only readable by the root user?
Certificates are a means of establishing trust. There are a number of certificate signing authorities which are trusted by browsers and other tools which use SSL/TLS certificates. When the make an encrypted connection they verify that the provide certificate was signed by a trusted certificate.
A self-signed certificate is not signed by a trusted signer and will be untrusted. Many tools will ask if you want to accept the certificate anyway. Teaching people to accept such certificates, leaves them open to man in the middle attacks.
If you don't want to get a certificate from a trusted certificate authority, you can create your own certificate authority (CA). However, you will need to distribute you public CA certificate to your clients and get them to install it in the appropriate trust store(s).
There are cases, such as VPNs, where you may want to have your own CA. Services like IMAP, POP, and HTTP are rarely such cases.
