MTAs like sendmail and postfix act as both clients and servers. This page is about setting up sendmail to present a client certificate, not a server certificate. If you're trying to use your desktop email client to send email over encrypted SMTP, for example, this is probably not the right place to be looking.

One use case is this: I have a few machines that need to send email: a mail server on a static IP, and a few random machines at home on a dynamic IP. The ones at home can't send email directly because, due to spam, most email services don't accept emails directly from residential IPs. So for my machines to use sendmail, they have to relay through the mail server.

The problem is authentication. For the server to not become a spam-spewing open relay, it needs to know who is trying to use it as a relay. There are basically three reasonable ways for a client MTA to authenticate to a server MTA for relaying: the client's IP/hostname, a username/password, or a client certificate. I can't use my IP or hostname since it keeps changing, and using a username/password is too logical for me. So here's how to set up a client certificate.

First, either get an actual client certificate signed by a real CA, or sign your own. Note, if you buy one, it needs to be a client certificate and not some other type, i.e. it needs to pass this check:

$ openssl verify -purpose sslclient sendmail.crt

If you generated it using my instructions, the certificate can be used for any purpose and will be fine.

Now, copy the certificate and private key somewhere on your client machine. /etc/pki/tls/ is a good place to put these. Then add these two lines to /etc/mail/sendmail.mc:

define(`confCLIENT_CERT', `/etc/pki/tls/certs/sendmail.crt')dnl
define(`confCLIENT_KEY', `/etc/pki/tls/private/sendmail.key')dnl

You may have to install sendmail-cf before proceeding, so do that first. Then run make and restart sendmail:

# make -C /etc/mail
# /etc/init.d/sendmail restart

Now sendmail is correctly configured to present a client certificate when asked by a server. Note that the server must ask for a client certificate before one will be presented, and most servers don't do that by default. Also, for the certificate verification to succeed, the server needs to be configured to trust the certificate authority. That means if you signed the certificate yourself, the server needs to trust the certificate file of the CA that you signed the client certificate with.