This is not enough to start tls sessions. These entries defines only the certificate and the private
key for the server itself. This will be used when the server gets a connection from outside.
You need at least these additional options in the global configuration part:
tls_advertise_hosts - a hostlist which defines the hosts that will get the ability to use the
STARTTLS command.
tls_verify_hosts OR/AND tls_try_verify_hosts - which are hostlists. Only hosts in one of the lists
will need tls verification against local CA certificates. If used with the _try_ version, the
verification may fail but the connection will be established anyway.
tls_verify_certificates - a file or directory which contains the CA certificates in PEM format.
Configuring those options correctly will lead the server to annouce a STARTTLS to the client on
connect, send the local certificate to the client and request a certificate from the client. This
will then be checked by OpenSSL.
In the transports configuration you'll need at least the following options:
another tls_certificate and tls_privatekey entry (which can use the same key's and certs like in the
global configuration). Additionally you should provide a hosts_require_tls option which includes the
hosts to send the STARTTLS command and the certificate.
This will enable the hosts 10.1.1.1 and 10.2.1.2 to use the STARTTLS command on connect. Host
10.1.1.1 MUST be successful verified against the certificates in tls_verify_certificates and
10.2.1.2 MAY be successful checked the certificates in tls_verify_certificates.
This will lead exim as a client to the hosts 10.1.1.1 and 10.2.1.2 to use the STARTTLS command on
connect and to send the local certificate on request.
This is enough. The ACL must not be used and it is much easier to try without the acl first.