Use dehydrated to request certificates for httpd and dirsrv. Use ipa-dns-hook or similar to for dns-01 challenge. Install those certificates into those services. Maybe look at Public Key Pinning for httpd.
Configure replica VM, with Ansible applying all the changes I have done manually to ipa0. Figure out how to run this at home (NAT hairpin, IPv6 tunnel, etc).
Bring up ipa1 with same Ansible playbook, then decommission ipa0.
Have dovecot/exim authenticate against FreeIPA via LDAP (search for a user in the mailusers group, with a matching mail attribute and then try to bind as that user?).
Allow mailadmins to modify membership of mailusers group, and modify the mail attribute of users within that group.
Maybe have dovecot/exim support Kerberos authentication as well?