> The advice to use the MX record to 'redirect' email for client-domain.net to > mail.server.com (for example) will work happily. > > However (referring to the OP's use case), won't the client (say a > Thunderbird user) be presented with the LE certificate for server.com and > not one from his own "client-domain"?
I don't think so. When following the MX reccord, the client will know that to send mail to client-domain.net it should contact mail.server.com and doing so it will receive the certificate of mail.server.com and the certificate will corresponds to the maichine the client is contacting and all should be nice and shiny. Certificate should match the server you are connected to, independently of the final mail recipient. In fact, all my clients are forced to use my mail gateway, and doing so, they are presented with the certificate of my mail gateway, whoever they are sending a mail to. Best regards, Olivier --
