> On Jun 2, 2019, at 8:10 AM, Wietse Venema <wie...@porcupine.org> wrote:
>
>> Assuming I want to go the safer older way of using stock RPMs form the
>> distribution (Centos in this case) and use two different IPs for the
>> postfix instance - then ideally while sending outgoing mail I have to
>> ensure that the mails go out from the respective IP of that domain
>> right.
>
> If you can use separate IP addresses, then you do not need SNI.
And there's no need to restrict outbound traffic to separate IPs:
; DNS data from various zone files
;
mail.primary.example. IN A 192.0.2.1
mail.primary.example. IN A 192.0.2.2
1.2.0.192.in-addr.arpa. IN PTR mail.primary.example.
2.2.0.192.in-addr.arpa. IN PTR mail.primary.example.
;
; Ideally, just use mail.primary.example as the MX host
; for all the domains! Per-domain MX host names are
; more trouble than they're worth! Then just get a
; certificate for mail.primary.example. and be done.
;
virtual1.example. IN MX mail.virtual1.example.
mail.virtual1.example. IN A 192.0.2.1
;
; See above
;
virtual2.example. IN MX mail.virtual2.example.
mail.virtual2.example. IN A 192.0.2.2
but, if you must have per-domain MX hosts, you can still
have a single certificate for all the names, and avoid SNI.
But, if for some unexpectedly compelling reason you MUST
have separate certificates, then go ahead, but use a single
underlying hostname as "smtp_helo_name = $myhostname", and
map the PTRs for both IPs to that name, just in case some
anti-abuse systems get very picky and want your HELO name
to match the PTR.
Splitting the outbound traffic is a lot more work, since
then you need two separate Postfix instances each with
its own smtp_bind_address, rather than just two separate
entries in master.cf for inbound traffic, if a single
outbound "personality" is enough.
Google and Microsoft deliver outbound mail for hundreds
of thousands of domains from a common pool of outbound
names. Nobody seems to mind.
--
Viktor.
