Apologies if 'jumping in'. The advice to use the MX record to 'redirect' email for client-domain.net to mail.server.com (for example) will work happily.
However (referring to the OP's use case), won't the client (say a Thunderbird user) be presented with the LE certificate for server.com and not one from his own "client-domain"? Such an appearance may cause confusion/distrust? (and perhaps it should!) Your thoughts? =dn -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
