Hi, I have been using Postfix with Dovecot (lmtp/imaps) for a few years now for 5 domains with the virtual domains setup and self-signed certificates using OpenSSL 1.0.x For spam/virus protection I use Postscreen, Spamassassin and Clamav; I also use py-spfpolicyd, OpenDmarc, OpenDkim and Clamav.
Now I wish to move onto a postmulti setup with separate instances for incoming, outgoing, and a null-client per domain. So that would mean 15 instances of Postfix in total under postmulti. Not sure if I should do this, but I would also like to have another setup that only sends/receives email within or between our own domains. This is nice to have, but not necessary. I have a single server with two physical NICs to do this. I am migrating from self-signed certificates to individual LetsEncrypt certificates per domain and OpenSSL 1.0.x to 1.1.x ( i.e. TLS1.2 to TLS1.3). I plan to use one physical NIC for LAN and the other for WAN with IP aliases for each Postfix instance. So my questions are: 1. Will I have to use separate ports for each instance as I am planning to use IP aliases? I guess I will have to. If that would be the case, then I guess the ports need to be configured in master.cf for each instance. 2. I believe a single Dovecot instance and spam/opendmarc/opendkim/spf/clamav milter instances should still be able to serve all the Postfix instances. Am I right in thinking so? 3. I guess I should be fine using the same user db by just removing the virtual domains from each Postfix instance's main.cf and setting virtual_domain to the relevant domain. 4. I am thinking of replacing Spamassassin with Rspamd or simply not using either of them at all i.e. use Postscreen only. What has your experience been here? 5. Is Dovecot still the best lmtp/imaps option for Postfix? If I am not mistaken Postfix has its own lmtp now... I thought I read so somewhere, cannot remember... maybe I am wrong. 6. Does Postfix support Redis or similar databases? 7. I have not read much on DANE, but my DNS supports DNSSec. Would you recommend setting up DANE? 8. Would you suggest any better architecture to what I wish to achieve? Maybe I could have just one null client for all domains... or anything else. Phew.. too many questions I guess :-) Thanks in advance. Looking forward to your responses. Best regards, Nitin
