Any news on this?
As far as I see it the only ways to do it without Zimbra introducing support (How about some S/MIME while we're at it) is to:
1. Deploy one proxy server per client - use their own certs - this is feasible for those doing it in the cloud or with virtualisation
2. Purchase one of those hardware SSL agregator/load balancer units....
We are looking at both. Unless we can get a virtual appliance for the second one to make networking easier - then we will go with #1.
Of course it is another instance to patch, 6 more GB of disk gone and what not. But it isn't too much of an issue - again if using vSphere or similar.