Thank you, Martijn! Only about 5 percent of "good mails" are routed through the secondary MTA. Thus, I'd get a "nondeterministic" behavior, if for some reason the first email of a new external address would be routed through the secondary server. At the moment, I think, we won't use PDF encryption at all, but...
I had a deeper look at Galera cluster, and I'll most probably go this way - as you proposed.
