>- Do we support client certificate submission during TLS negotation? > No. If this is what you want ... well, I'm a little surprised, as I > work in an environment that makes heavy use of TLS client certificates > and as far as I know this is never done for SMTP (web servers, yes, but > SMTP, no). I would have to look at what it would take to add that. I > imagine there are a few bits of magic you need to tell the TLS library > where the certificate and private key are located.
I was curious so I looked into that. Assuming you don't want to use something like a PKCS#11 hardware token, adding support for this is relatively straightforward via a few APIs. It gets more complicated if you (a) want to pick from several certificates based on the list of CAs sent by the server or (b) if the private key is encrypted. --Ken
