It is - that's just "belt and braces" stuff (also known as "defence in depth" :-) )
It is good to limit to just your own ca. I do this with the ldap. Was just not expecting it from someone having users stored in mariadb and having virtual users and then worrying about CA's credibility. If you use a .local you already skip the regular stuff and you only need to worry about intelligence agencies.
My *real* issue (if I understand things correctly - which, there's a significant chance that I don't) is telling dovecot which TLS certificate to use to connect to the MariaDB back-end.
I don't know, would be even surprised if they support such a thing. That is why I have unix users that is all optimized for this type of stuff and any default application works fine like this.
Mind you, that's *not* the same cert that the users use to connect to dovecot :-)
I was guessing that ;)