When relaying, Postfix runs through a set of rules to determine if the client machine is allowed to relay mail through the server. We need to tell Postfix that all users specified in the relay_clientcerts file are allowed to relay mail. To do this we add permit_tls_clientcerts to the smtpd_recipient_restrictions statement in main.cf. There is another relay option that can be used to allow relaying if the client certificate can be verified (can be trusted via a CA). For a small installation, it is better to use the permit_tls_clientcerts statement as it allows individual control over users.
The server is now setup to allow relaying via certificate authentication. We still need to setup the client configuration to talk to the server, and authenticate using its client certificate. The client setup is relatively painless. You only need to add a few lines to the main.cf file, and setup relaying to the server. Edit the main.cf file on the client machine, adding the following lines:
smtp_tls_key_file = /etc/postfix/zen.key
smtp_tls_cert_file = /etc/postfix/zen.pem
smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtp_use_tls = yes
As you can see, it is very similar to the server configuration, apart from the fact that it refers to "smtp", not "smtpd". The values mean exactly the same thing as the server configuration. For relaying, you have two options. You can specify a default route for all mail via the relayhost parameter in main.cf, or you can setup the transport map to route your mail based on client rules. I cannot tell you the best way to go on this one. Only that if you are only going to be using one mail hub, specify it in main.cf via the relayhost parameter. If you use multiple hubs (many large organisations do), use the transport map.
For more information about the transport map, see the transport(5) man page. In our case, we will choose the relayhost mechanism to relay all mail through a server:
relayhost = [mail.organisation.co.uk]