I need some guidance on how to configure SSL certs in a multi-server, multi-domain environment.

I have 1 LDAP, 1 MTA and 2 mailstore servers. The nginx proxy sits on the MTA. All the servers have ugly functional names like "zmmta1.mydomain.com," but each of the domains in Zimbra is configured with a friendly service name like "mail.companydomain.com" along with a matching commercial SSL certificate.

So for webmail, IMAP, POP, ActiveSync, etc. (anything fronted by nginx) the users can just use 'mail.companydomain.com' because nginx holds and serves the proper SSL certificate, and then proxies to the ugly backend server names as appropriate.

However, nginx doesn't proxy SMTP. This means that when configuring an IMAP client, the IMAPS hostname can be "mail.companydomain.com" and I get no complaint, but if the user tries that same hostname for outbound SMTP (SSL) they get a certificate error saying that the certificate name 1) doesn't match; 2) is self signed. That's because Postfix on the MTA host is serving up a self-signed cert for "zmmta1.mydomain.com".

It seems wrong to me that the architecture is in place inside Zimbra to allow multiple domains, each with its own SSL certificate, but SMTP is somehow overlooked. What am I missing? How do others handle this? Or is my configuration just broken?