Disclaimer: I am not a network guru, but here is what I know.
WIth CNAME scenario you can't have more than one backend. Because HAProxy acts as L4 (TCP) balancer, it has no idea which server you are trying to connect to and which server's certificate you are waiting for. It just sends your packets to some random backend. When you install load balancer that acts as a front-end for the several backends, you can: 1. Terminate TLS on it. This is how people do HTTPS: Client--<HTTPS>--LoadBalancer--<PLAIN_HTTP>--SomeRandomBackEndN You can't use STARTTLS in this scenario because LoadBalancer is L4 (TCP) not L7 (SMTP) hence it doesn't "speak" SMTP. So, it COULD be Client--<SMTPS>--LoadBalancer--<PLAIN_SMTP>--SomeRandomBackEndN But I do not know if this scenario is supported. 2. Use SubjAltName certificate and terminate TLS on the backend. Client: I want to connect to the haproxy.example.com Haproxy (Silently sends all packets to the backend64) Backend64: here is my cert. It is valid for Backend64 AND haproxy.example.com Client: I want to connect to the haproxy.example.com Haproxy (Silently sends all packets to the backend42) Backend 42 : here is my cert. It is valid for Backend42 AND haproxy.example.com 3. Replace L4 (TCP) load balancer with L7(SMTP) load balancer and terminate TLS there. This load balancer is called Postfix:) You install postfix instead of HAProxy. It accepts emails, speaks TLS (along with STARTTLS), and provides it's certificate. Everything works. Then, it forwards emails to the backends via $relayhost: relayhost = backend1:587, backend2:587, backend3:587, backendN:587 http://www.postfix.org/postconf.5.html#relayhost I am for the third solution.