On Wed, Mar 30, 2011 at 09:37:31PM -0700, dchil...@bestmail.us wrote: > I plan to host mail for 3 domains, > > mynet1.net > mynet2.net > mynet3.net > > and have SSL certs for each domain.
Sorry, not possible to have "SSL certs for each domain". You can have one cert that lists all three domains as subjectAlternativeName DNS values. Three separate certs are not possible since the TLS handshake completes before the server knows which domain the client has in mind. And even if SNI is someday ubiquitous in SMTP clients, with SMTP it is rather non-trivial for the client to know which domain to request... > (2) negotiate TLS/SSL correctly for each accepting domain > (4) > (a) if the Zimbra server is accessible, > deliver/forward accepted mail to Zimbra's postfix on my > LAN for further processing and IMAP storage Good. > (b) if the Zimbra server is offline, > store/queue the messages locally on the hosted server > for later delivery a.s.a.p. Postfix queues mail by default when the destination is down. > -- should I run ONE or TWO instances of postfix on the Hosted Server? See http://www.postfix.org/MULTI_INSTANCE_README.html. If the features are to your liking run a pre and post filter instance. There is little point in running a separate front-end instance for each domain, unless their anti-spam or other access policies are radically different. Running an instance for each domain you own does not scale too well. Instance should be split by function, not domain namespace. > -- with my A/PTR records != the hosted mail domains, how do I ensure the > right TLS/SSL cert gets presented for a given domain? You can't. > -- how, exactly, do I setup the store/forward capability? Custom > scripts? POP servers? other? Just let the mail sit in the Postfix queue. The domains will be "relay" domains, and the transport table will direct the traffic to the final destination. http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to -- Viktor.
