You should have one or more certificates containing the URL’s actually used. So if you have a MX record with
mail.example.com, you should have a certificate with
mail.example.com in it. If your users type in
imap.example.com in their mail client, you should have a certificate with
imap.example.com in it. If your users type in
smtp.example.com in their mail client, you should have a certificate with
smtp.example.com in it.
This can be just one certificate covering all hostnames or you can use separate certificates. One for “web”, one for “email” for example. Really doesn’t matter actually…
Also: if all hostnames resolve to the same IP address, you could also just use
mail.example.com for everything. In that case, your users would type
mail.example.com in their IMAP configuration and would type in
mail.example.com in their SMTP configuration too. Doesn’t really matter if everything is just the same IP address.