On Thu, May 20, 2021 at 01:44:47AM +0300, IL Ka wrote:
> So, each backend can have it's own certificate, but for the same DNS name (
> haproxy.example.com), right?
Briefly during rollover. Not each its own, but some have a previous
version briefly during rollover.
> I didn't know that letsencrypt could issue a new certificate without
> revoking the old one.
Revocation is not part of normal renewal.
> Just curious: what do you think about replacing HAProxy with "frontend"
> Postfix that receives mails and forwards them to the backend using
> $relayhost with several values?
Submission servers should quickly hand off mail to a pool of smart
hosts, rather than queue it for delivery to remote host. IN that light
no proxying is required at all. Just give the submission servers
multiple IPs.
Proxies are only needed for very large mail plants, where the message
rate is too high for any one machine to handle, and you also need
GeoIP DNS load-balancing, front-end proxies per datacentre, ...
For those of us not working for Google, much simpler approaches
are more robust (easier to manage).
--
Viktor
