At some point in the (hopefully) near future, I’ll be moving my main mail server out of my house to co-lo facility. I want all my home machines to relay mail through that box, and I want those connections verified via SSL-certificate checking.

So I built my own little certificate authority and generated certs for each host on my network.

I’m pretty familiar with the m4 configuration process for sendmail, so telling local hosts running sendmail how to offer up a client certificate was pretty easy: just add confCLIENT_CERT and confCLIENT_KEY definitions and rebuild sendmail.cf.

Harder—well, more obscure—was getting exim4 to offer up a client cert. The exim4 config file has settings for tls_certificate and tls_privatekey, but they’re only good when exim is acting as a server; they don’t apply to exim as a client.

The answer wasn’t documented at all in the comments in the exim4 config stuff, nor was it in the README.TLS file. Instead, buried in the FAQ on www.exim.org is this little gem:

A1705: This means that the clients have not sent certificates when asked by the server to do so. If the clients are running Exim, check that tls_certificate is correctly set in their smtp transports. Note that this value is not automatically inherited from the global tls_certificate option.

What that means in practice is that your remote_smtp transport definition needs a bit of tweaking, e.g.,

remote_smtp:
  debug_print = "T: remote_smtp for $local_part@$domain"
  driver = smtp
  tls_certificate = CONFDIR/exim.crt

Voila!