I wonder, if this is used for 'internal' email traffic, why bother with certificates that require frequent renewal? If the organization is that large, I would expect that all external email is handled by relay hosts on the perimeter, instead of allowing direct mail from random 'internal' hosts.
Wietse