On Thu, May 20, 2021 at 01:44:47AM +0300, IL Ka wrote: > So, each backend can have it's own certificate, but for the same DNS name ( > haproxy.example.com), right?
Briefly during rollover. Not each its own, but some have a previous version briefly during rollover. > I didn't know that letsencrypt could issue a new certificate without > revoking the old one. Revocation is not part of normal renewal. > Just curious: what do you think about replacing HAProxy with "frontend" > Postfix that receives mails and forwards them to the backend using > $relayhost with several values? Submission servers should quickly hand off mail to a pool of smart hosts, rather than queue it for delivery to remote host. IN that light no proxying is required at all. Just give the submission servers multiple IPs. Proxies are only needed for very large mail plants, where the message rate is too high for any one machine to handle, and you also need GeoIP DNS load-balancing, front-end proxies per datacentre, ... For those of us not working for Google, much simpler approaches are more robust (easier to manage). -- Viktor