update: second draft of a solution:
Disabling install-certificate in the dovecot and postfix .service’s was not the way, because it is being triggered somewhere else.
So I decided to disable the install-certificate script itself by inserting an exit line at the top:
install_certificate_disabled=$( ssh $nethserver_ip 'sed -n '2p' /home/mail1/.config/bin/install-certificate' )
if [ -z "$install_certificate_disabled" ]; then
ssh $nethserver_ip 'sed -i "1 aexit 0" /home/mail1/.config/bin/install-certificate'
echo "disabled install-certificate script"
fi
so far my deployed certificate does not get overwritten…