This configuration is based on Debian with Exim4 split-file configuration. Files we need to edit are conf.d/main/01_exim4-config_listmacrosdefs, conf.d/main/03_exim4-config_tlsoptions and conf.d/acl/30_exim4-config_check_rcpt.
Make sure you have a root certificate (CA), and server certificate and a key without passphrase. The key should only be readable by Exim4, so set its right to root:Debian-exim, 0640.
What we want it's to have TLS on Exim and have client verification (so client needs to provide a signed certificate to be able to send a mail through our mail server). In macro file, 01_exim4-config_listmacrosdefs, the configuration is pretty straightforward :
MAIN_TLS_ENABLE=1 MAIN_TLS_VERIFY_CERTIFICATES=/path/to/my/CA.pem MAIN_TLS_CERTIFICATE=/path/to/my/certificate.pem MAIN_TLS_PRIVATEKEY=/path/to/my/private/key.pem MAIN_TLS_TRY_VERIFY_HOSTS=* MAIN_TLS_CRL=/path/to/my/crl.pem
So first we enable TLS with MAIN_TLS_ENABLE set to 1. Then we set our root certificate with MAIN_TRY_TLS_VERIFY_CERTIFICATES. By setting our root certificate, we won't let anyone connect to our server without providing a certificate that we have signed.
You can, if you want, provide a relay only for people using client certificates signed by known company (trusted like verisign, …). For this you need to install package ca-certificates on Debian (which also contains CAcert.org CA) and then just don't set MAIN_TLS_VERIFY_CERTIFICATES. So anyone having a client certificate from those companies can connect to your server and send a mail through. I won't recommend against or for this option, but you can make it.
Then we provide our server certificate and our key with MAIN_TLS_CERTIFICATE and MAIN_TLS_PRIVATEKEY.
The next value is used to set which host we want to verify, so here we set everyone MAIN_TLS_TRY_VERIFY_HOSTS=*. Exim will then ask client for a client certificate, but is not going to shutdown the connection if the client doesn't provide one. The idea is to shutdown the connection only when relaying. If you set MAIN_TLS_VERIFY_HOSTS=*, Exim will shutdown the connection if the client doesn't provide a certificate, but this will block incoming message from any hosts (so you won't get any mail in your inbox).
Finally we want to provide a crl file, so our server knows which of our certificates are still valid and which have been revoked : MAIN_TLS_CRL.
We then edit TLS options in file 03_exim4-config_tlsoptions. I just added the following lines :
.ifdef MAIN_TLS_CRL tls_crl=MAIN_TLS_CRL .endif
to use crl. The rest of the configuration was already well done by Debian packagers.
We need to edit ACL in 30_exim4-config_check_rcpt. When client contact the server, Exim check if recipient address is on the server or should be sent to another server, so at this moment we tell Exim to accept only authenticated user (that's already configured by Debian packagers) and we just add verify = certificate to accept only authenticated user using client certificate. So in the file search for accept to get something like :
accept authenticated = * control = submission/sender_retain
So add there just :
accept verify = certificate authenticated = * control = submission/sender_retain