Implementing STARTTLS (3)

ACL
  # This acl condition will bypass further checks if sending client presented
  # a certificate (over TLS of course) signed by one of our known CAs, as
  # found in tls_verify_certificates
  warn  log_message = verified peer dn $tls_peerdn
        condition = $tls_certificate_verified
 
  accept condition = $tls_certificate_verified
...

Result
Received: from darkwing.uoregon.edu ([128.223.142.13] ident=root)	by riddler.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168)	(/C=US/ST=Oregon/L=Eugene/O=University of Oregon/OU=Computing Center/CN=darkwing.uoregon.edu)(verified=1)	(Exim 4.22 #1)	id 1Ae6Dj-000KBE-II	for mark@foster.cc; Tue, 06 Jan 2004 21:27:07 -0800

Obtaining Issuers (building trust)
2004-01-15 08:03:49 SSL verify error: depth=1 error=certificate not trusted cert=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte Personal Freemail Issuing CA