What about DKIM entry? Do I need to repeat it in every domain DNS config? Is the main domain enough?

You can use a 'catch-all' DKIM for all domains, so that you don't need to create & maintain dkim keys, DNS records for each domains.

Open /etc/amavisd.conf and read dkim related settings.

domain2.com.           3600    IN      TXT     "v=spf1 mx mx:mail.domain2.com -all"
domain2.com.           399      IN      MX      0      mail.domain2.com.
mail                        399      IN      A         <my_public_ip>

I can read in my outgoing mails' header:
Received-SPF: fail (receiverdomain.com: domain of user@domain2.com does not designate <my_public_ip> as permitted sender) client-ip=<my_public_ip>;

This is why I previously set

domain2.com.           3600    IN      TXT     "v=spf1 ip4:<my_public_ip> -all"

no, my mean is

if the mailbox is on domain2.com , user@domain2.com
if the mailbox is on domain3.com,  user@domain3.com

Ok, this match my settings...

Ok, I think I missed this one. Has this to be set even if users are using the same host of main server?
I mean that both user@domain1.com and user@domain2.com are using smtp.domain1.com to send mail... is this wrong?

if the mailbox is on domain2.com , user@domain2.com
if the mailbox is on domain3.com,  user@domain3.com

the spf setting is different.

domain3.com.           3600    IN      TXT     "v=spf1 mx mx:mail.domain3.com -all"
domain2.com.           3600    IN      TXT     "v=spf1 mx mx:mail.domain2.com -all"

the email client, the user name must be www@domain.com  or www@maindomain.com

if you have the multi domian.

Do you mean that if I have more then one domain

domain1.com (domain of the server)
domain2.com (virtual domain on postfix)
domain3.com (virtual domain on postfix)

all users must authenticate as user@domain1.com even if the mailbox is on domain2.com?
At now every user is able to authenticate with his own mail address (real mailbox, not alias).

if you have the multi domian.

recommend point the mx record to A record.

Oh yes, I didn't specify but I I pointed the MX record to a (A)HOST. And users point to imap.domain.com/smtp.domain.com which are CNAME of that (A)HOST.

And I pointed the MX record of all virtual domains each to a (A)HOST linked to the same external IP of the mailserver.

the spf record also suggest use the A record.

http://code.google.com/p/iredmail/wiki/DNS_SPF

What's the right configuration of MX records for virtual domains?
Is it better to point every MX record to the public IP address of the server or to the same hostname used for main domain's MX record (e.g. mail.maindomain.com)?
I'm using the first way at now, but I'm starting to feel that I missed something... for example, do I need to add the same SPF and DKIM entries in every domains' DNS zone? I added these entries only in the main domain DNS zone and all clients use imap.maindomain.com/smtp.maindomain.com even if they have a mailbox under firstvirtualdomain.com... But lots of mails do not arrive. And I have no entry into /var/log/maillog for the sender address...

Thank you again...