When Postfix is the destination for multiple domains, does it need a TLS cert for every one of them, or just for the domain in $myhostname?
That is to say, are there smtp clients out there who will check certs against the MX they used to look us up, or are they all smart enough to wait for 220 response and/or do reverse DNS, and check against that?
Is it even possible to receive the 220 without checking the certificate first?
But otherwise, is it even possible for Postfix to know what cert the client wants?
EDIT: Even if they do reverse DNS, if clients are willing to accept MX addresses that resolve to arbitrary domains, isn't that trivial to MITM? Or is the solution to never use a vanity MX if I want TLS?