This is something which (at least) Cyrus offers, so it'd be nice for
talking to lmtpd, but also rather nice for MTA-MTA conversations too.
(In our Dept an increasing number of people have more than one machine at
home, and have a mail relay on their internal networks, which might as
well point straight at our MTA what with its virus-checking etc..)
The implementation I'm thinking of is specific to server verification of
client SSL/TLS certificates (I'm guessing the id is the CN, but I haven't
looked into it in much depth.)
So.. you can avoid doing all that 'orrible spam-checking from your backup
MXes without too much clutter, because one of your first RCPT ACL checks
would say "accept authenticated = *", *and* our academics' mail from home
has the nice "P=asmtp"-ness about it, *but* they don't need a cleartext
copy of their password in their MTA configurations at home.
I know it's easy to use the ACLs to relay for verified certificates, but
the nicest way I can think of logging that that's why we relayed is
"P=asmtp A=external:my.CN"..
What do you think? Is it difficult to implement? Worth the bother?