We at BarNet purchased a wildcard certificate from FreeSSL to secure our web transactions, to authenticate our IMAP and POP servers and to support TLS for the SMTP sessions.
TLS (Transport Layer Security) for SMTP consists of two parts
The above example works because the certificate my MTA presents is an internal client certificate. But the official certificate which we purchased is only valid for server usage, not for client usage.
Issuer: C=US, O=FreeSSL, CN=ChainedSSL CA Subject: C=AU, O=*.barnet.com.au, OU=https://services.choicepoint.net/get.jsp?430367485, OU=See www.freessl.com/cps (c)04, OU=Domain Control Validated, CN=*.barnet.com.au X509v3 extensions: Netscape Cert Type: SSL Server
Note there that it only says "SSL Server" and not "SSL Client".
With the result that we see this in our logfiles:
May 1 00:01:03 mag postfix-dbmail/smtpd: verify error:num=26:unsupported certificate purpose May 1 00:01:03 mag postfix-dbmail/smtpd: Unverified: subject_CN=*.barnet.com.au, issuer=ChainedSSL CA
Oh well, this just means that we for outgoing sessions are using our self-signed certficates again. Moral of the story: make sure you know what you get.