Looking for an checklist for an "small company freebsd/jail server".

Having pretty common starting point:

• FreeBSD jail (remote/headless) for the company:
  • public web, email, ftp server, and
  • private (maybe in the future partially public) wiki (foswiki)
• 4 physical persons, (6 email addresses) + one admin - others will never use ssh)
• have already done usual hardening on the host side (like pf, sshguard etc).
• my major components are: dovecot, exim, apache22, proftpd, perl5.14.

Looking for an checklist, what I shouldn't forget. My plan:

• openssl self-signed certificates for exim, dovecot and proftpd (wildcard keys)
• openssl self-signed certificate for apache (later will go for "trusted-signed" key)

My questions are:

• is is an "good practice" having one pair of wildcard SSL-certificates for many programs? (exim, dovecot, proftpd) - or should I generate one key for each service?

• should I add all 4 persons as standard (unix) users, or I should go with virtual users? Asking because:

  • have only small count of users, and
  • it is more simple to configure everything (exim, dovecot) for local users ($HOME/Maildir), plus ability to set $HOME/.forward/vacation and etc.
  • is here some (special) things what I should consider? (e.g. maybe, in the future we want setup our own webmail - will make this any difference?)

• any other recommendation?

Thank you, hoping that this question fit into the http://serverfault.com/faq under the:

• Server and Business Workstation operating systems, hardware, software
• Operations, maintenance, and monitoring

Looking for an checklist, but please explain why you're recommending it. See Good Subjective, Bad Subjective.

related:

• What's your suggested mail server configuration for a FreeBSD server?