On Thu, May 20, 2021 at 01:06:38AM +0300, IL Ka wrote: > Disclaimer: I am not a network guru, but here is what I know.
Then don't distract the OP with speculative non-answers. > WIth CNAME scenario you can't have more than one backend. Because HAProxy > acts as L4 (TCP) balancer, it has no idea which server you are trying to > connect to and which server's certificate you are waiting for. This is false. All the backend servers present the same certificate chain, so there's no problem. > You can't use STARTTLS in this scenario because LoadBalancer is L4 (TCP) > not L7 (SMTP) hence it doesn't "speak" SMTP. This is false. All the backend servers have the same certificate chain. ... -- Viktor.