Icing on the cake: Sprinkle a little Let's Encrypt in there to cover SSL. It doesn't take much to have a cron make a new cert and restart dovecot and postfix.
My setup is similar, but it uses MySQL instead of LDAP.
I love being able to make aliases and even better - deleting them when I'm done with them.
> Sprinkle a little Let's Encrypt in there to cover SSL.
Unfortunately most MTAs aren't configured to check the certificate chain, so they'll happily take any SSL cert they're handed and start chatting. MITM or downgrading is trivial.
There is an IETF draft ( MTA-STS ) from 2017 that should address this.
While I share your ECC preference, for today I see no reason to refuse free, reasonably secure LE support by default. ECDSA signing with LE's RSA intermediates is supported from Feb 2016, and full ECDSA cert chain will be added on July 2018[1].
Any reasonably modern x86_64 CPU can do more than 1000 RSA2048 signs (~ TLS handshakes) a second, per core. Performance considerations really aren't a good reason to not use RSA for TLS KEX.
My setup is similar, but it uses MySQL instead of LDAP.
I love being able to make aliases and even better - deleting them when I'm done with them.