Where to use DNS aliases/CNAMEs?

[notpeter]

Hi, I'm in the process of building out a multi-server installation and had a couple questions about naming.

Specifically I have the following hosted seperately.
Mailstore, MTA, LDAP, Proxy

I'd like to iron out names now befoe I get much further. Here are the CNAMEs I'd like to use:

mail.dept.uni.edu (POP, IMAP)
send.dept.uni.edu (SMTP)
ldap.dept.uni.edu (LDAP)

I'm concerned about making sure URLs don't change even if the backend server configurations slide/grow. Basically I'd like to hide the name of my mailstores from the users among other things. Should I have a seperate CNAME for http(s) connections to the mail server? Is the http/https reverse proxy stable enough for production use?

Is there a way I can force the mailstore to generate URLs which are the alias names (and thus proxied)? At the moment urls the mailstore shows (when defining new shares, etc) is its own (non-aliased) name. Is there a way I can force the mailstore to generate URLs which are the alias names (and thus perhaps proxied)?

Currently I'm planning on buying two commercial SSL certificates (mail.dept.uni.edu and send.dept.uni.edu). I'd like to use Mail.dept.uni.edu for proxied IMAP/POP/HTTP(s), but not if I can't get the backend server to generate public friendly urls. Is there any advantage to buying a third cert for https on the mailstore itself (zimbra.dept.uni.edu or whatever)?

Each host has a FQDN of it's own, but will I have any trouble if tell Zimbra its hostname is something that's actually a CNAME? (tell zimbra the server is send.dept.uni.edu instead of internalname.dept.uni.edu instead?)

[Bill Brock]

Section 10.3 of RFC 2181 states you should not use cnames when resolving an MX record.

[notpeter]

Section 10.3 of RFC 2181 states you should not use cnames when resolving an MX record.

Sorry, I should've been more explicit. My MX records should be fine. They are off of dept.uni.edu and point to the zimbra MTAs directly (no CNAMEs). The send.dept.uni.edu is only for client secure SMTP access.

Anyone know if there's a similar reasons for/against giving zimbra a CNAME which points to, rather than a name with an A record?

Is there a way to tell Zimbra: "this is the FQDN of the server you're on. But use 'cname.dept.uni.edu' for all client facing communication?" Or should I just tell zimbra the CNAME.

[whetu]

My understanding is that so long as the Zimbra server can resolve the IP, it should be happy (or tricked; unknowingly delivering to itself)

The only issue then is certificates for secure connections. To mitigate annoying cert warnings (especially with Firefox 3 users) you'll probably want to use subjectaltnames, e.g.
[SOLVED] No SubjectAltname in Commercial Certificate request (FOSS 5.0.1)