> > > Which "backend"? > "random or designated"
Viktor's comment: 7. Some suitable process arranges to update the peer servers whenever a new certificate is obtained by some ( *random or designated)* server in the cluster. Or some completely separate provisioning system could do the certificate acquisition and push the cert files, ... --- >From my point of view this approach requires some scripting and probably more complex than "frontend" Postfix with several $relayhost I wrote about