

+1 for the letsencrypt wildcard with DNS verification, been using this for years. with dehydrated (https://github.com/dehydrated-io/dehydrated) you can automate renewing the certs, pretty convenient.
One thing i didn’t see mentioned yet - you can also easily create a wildcard for a subdomain of your domain, e.g. *.local.example.com
.
Most DNS providers let you define something like _acme-challenge.local IN TXT ...
so you don’t even need to define an extra zone for local.example.com
.
Probably makes no big difference, but i like it ^^
Shout-out to mailcow-dockerized, a GPL-3 licensed setup of postfix/dovecot etc with sogo as webmail. Managed by a German IT company, I’ve been running it in production for more than a year, serving a handful of domains. Very happy with it.
https://mailcow.email/
https://github.com/mailcow/mailcow-dockerized
Oh, and they’re on mastodon as well: https://mailcow.social/@doncow