I was originally setting up for one hostname to which outgoing email would be sent. Now it looks like we have some internal users that cannot reach the firewall (because they are in a no-internet-access zone). It turns out, for them to get to the mail server, they have to address it as a different hostname, and that will need a different SSL certificate with a CN for that hostname, on a different IP address. Alternatively, I could juggle DNS around somehow so they can use the same hostname while reaching a different IP address. But I want to avoid doing that (and also avoid having them connect non-SSL even though it is internal ... we want all inter-zone traffic to be SSL).
So basically, I'm looking at running two instances of SMTPD, each on a different IP address, and each with a different SSL certificate (both being server certificates signed by an internal CA that users will import into their user agent CA cert collection). I see two approaches. One is just two daemons specified in master.cf. But I don't see how to give them each a different certificate. The other is a multi-instance Postfix. But I'm worried that a multi-instance setup might have problems with using the same set of domain names, and perhaps even problems with instantiating Dovecot being used to do the delivery (e.g. virtual transport). And to be clear, yes, I know there are possible solutions outside the scope of changing the Postfix setup. But I want to explore everything in depth before making that decision. And I want to limit this thread on this list to just exploring the Postfix aspect.
