I have read many blogs that at some point state that a post is to document something for future use
This post is like that, this is something I have done very recently and now I'm writing down about it so I know how to do it again in the future :)

I have a central mail server where I keep my email, other systems relay emails to that server so I can consolidate my cron mail and delete it altogether
I nailed this 2 years ago for my laptop, but I never wrote it down or anything so when I got new machines they just don't send out email
Recently I needed to send out email from a machine so I had it to make it work again

Generate a CA for this propose

$ easy-rsa smtps-ca
$ cd smtps-ca
$ vi vars
...
...
$ source vars
$ ./clean-all
$ ./build-ca

Create keys for all the parties involved

$ ./build-key-server mailserver
$ ./build-key-server client1
...
$ ./build-key-server clientN

Copy the keys to each server in particular

$ cd keys
$ cat client1.crt client1.key > client1.pem
$ scp client1.pem mailserver.crt client1:/etc/nullmailer/

Add the key fingerprint to the list of keys we allow to forward email through us

# openssl x509 -in client1.crt -fingerprint -sha1 -noout | awk -F = '{print $2 " client1" }' >> /etc/postfix/tls/relay_clientcerts
# postmap /etc/postfix/tls/relay_clientcerts

My master.cf config (partial), on my smarthost

$ cat /etc/postfix/master.cf

submission inet n       -       n       -       -       smtpd
  -o content_filter=
  -o syslog_name=postfix/submission
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject
  -o smtpd_tls_req_ccert=no
  -o smtpd_tls_ask_ccert=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_cert_file=/etc/postfix/tls/mailserver.crt
  -o smtpd_tls_key_file=/etc/postfix/tls/mailserver.key
  -o smtpd_tls_fingerprint_digest=sha1
  -o relay_clientcerts=hash:/etc/postfix/tls/relay_clientcerts
  -o smtpd_relay_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject
  -o smtpd_tls_CAfile=/etc/postfix/tls/keys/ca.crt
  -o smtpd_sender_restrictions=$submission_sender_restrictions
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_data_restrictions=
  -o smtpd_milters=inet:127.0.0.1:12345
  -o non_smtpd_milters=inet:127.0.0.1:12345
  -o milter_default_action=accept
  -o message_size_limit=211113302
  -o cleanup_service_name=subcleanup

....

Configure nullmailer on the clients, the cool thing is that nullmailer will validate the smart host as well

$ ssh client1
# cd /etc/nullmailer
# cat remotes
mailserver smtp --port=587 --starttls --x509certfile=/etc/nullmailer/client1.pem  --x509cafile=/etc/nullmailer/mailserver.crt

Things to be improved, a few probably. For example I think relay_clientcerts is redundant, postfix should trust all certs created by this CA, after all I created it for that reason... but it doesn't bother me much yet, maybe next time I add a machine I'll fix it.

EDIT: make the post more clear