using cnames as mx records isnt rfc complaint and i know some mailserver will reject sending mails to you or rejeckt mails from you - this just for the record
anyway there only few mailserver beeing that strict and for an hosting company its a commong thing using cname for mx records
i personally would not use mx entry like you do like
example.net = customer domain
zimbra.example.com = your zimbra host
(sorry i use example in both but those are the rfc complaint domainname for documentation
example.net - domain - currently as i understand your post
@ IN MX 10 zimbra.example.com.
Because if your customers want to use their own domain to login like
whatever.example.net - you have to set an additional host entry for that ip
instead i would use
example.net - domain
example.com - your primary domain outside DNS
@ IN MX 10 whatever.example.net.
whatever IN CNAME zimbra.example.com.
zimbra IN A external.ip.adress.
example.com - your primary domain INTERNAL DNS
zimbra IN A 192.168.0.222
In zimbra config you can simply add domains with
That way customers can use whatevertheywant.example.net as their own login without any additional dns config and you can still switch the external ip adresse pretty quickly
(make shure your primary external DNS entry has a very ultra low ttl that way you can switch within one minute or so)
i know its almost the same as your config but its a bit cleaner
you set only zimbra.example.com = external ip as reverse entry
No you dont need an external ip each domain - that would be supernonsense - even better its possible but pretty hard to let zimbra use multiple ips for multiple domains
and it doenst matter - in fact all you domains use your primary domain as mailserver / sender / reciever so to the outside you additional domains dont have their real own mail server they just use the primary
if a mail comes in it gets delivered to the primary domain - zimbra sort it out and delivers to the approbiate account -
when you send mails - sending domain is the additional but sending by is always primary
so its not nessesary having each additional domain an additional ip or ssl cert
however if you want to login by whatever.example.net without an security warning you need an ssl cert