> > Load balancing. > Do you really have such a big load so one submission postfix isn't enough?
If you are speaking about fault tolerance only, then you could run "submission only" postfix instead of haproxy. This postfix will then store messages in queue and send them to the appropriate backend server. You can also do fault-tolerance on the network level (see CARP protocol and friends) If Haproxy is absolutely necessary then you can try to use either SubjectAltName or wildcard cert from my prev. email.
