Hello! I've recently found a reason  to use different certificates for relaying than those that are used for submitting mails.
Reading smtpd.conf(5) I learned that "relay" did not list "pki" as an option. Feeling adventurous I just added the "pki pubpki" directive: "action rlay relay src <outbound> helo $hname pki pubpki" "smtpd -n -v' did not complain. There's a patch for smtpd.conf(5), at the end of this message. But I'm having a hard time testing. Here's a trace from a receiving end, when contacted _by_ the server in question. smtp: 0x17e7eea48000: <<< STARTTLS smtp: 0x17e7eea48000: >>> 220 2.0.0 Ready to start TLS smtp: 0x17e7eea48000: STATE_HELO -> STATE_TLS 160f48d2b4ce36f0 smtp tls ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 smtp: 0x17e7eea48000: STATE_TLS -> STATE_HELO How can I check which certificate was used? I control both ends, which are OpenBSD 6.6 with OpenSMTPd. Or, asking differently: if I have more than one "pki" defined, which one is used for "relay" actions?  there's an "internal" domain name that is used for mail submission access, which has a acme certificate. but, when relaying, it goes out with the "official" name, which is not contained in the acme certificate for the "internal" domain. Thanks for reading that far, Marcus Index: smtpd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v retrieving revision 1.249 diff -u -p -u -r1.249 smtpd.conf.5 --- smtpd.conf.5 12 Feb 2020 14:46:36 -0000 1.249 +++ smtpd.conf.5 2 Apr 2020 09:14:01 -0000 @@ -274,6 +274,14 @@ and .Dq smtps protocols for authentication. Server certificates for those protocols are verified by default. +.It Cm pki Ar pkiname +For secure connections, +use the certificate associated with +.Ar pkiname +(declared in a +.Ic pki +directive) +to prove a mail server's identity. .It Cm srs When relaying a mail resulting from a forward, use the Sender Rewriting Scheme to rewrite sender address.