diff --git a/doc/nullmailer-queue.8 b/doc/nullmailer-queue.8
index 291ea65..97aa92f 100644
--- a/doc/nullmailer-queue.8
+++ b/doc/nullmailer-queue.8
@@ -45,6 +45,14 @@ The directory in which messages are formed temporarily.
 A pipe used to trigger
 .BR nullmailer-send
 to immediately start sending the message from the queue.
+.PP
+Note that due to
+.B nullmailer-queue
+using hard links to manage emails both
+.I /var/spool/nullmailer/queue
+and
+.I /var/spool/nullmailer/tmp
+MUST reside on the same filesystem.
 .SH SEE ALSO
 nullmailer-inject(1),
 nullmailer-send(8)
diff --git a/doc/nullmailer-send.8 b/doc/nullmailer-send.8
index 34e5f96..85b705c 100644
--- a/doc/nullmailer-send.8
+++ b/doc/nullmailer-send.8
@@ -137,6 +137,9 @@ Set the source address for connections to the remote host.
 .B auth-login
 Force SMTP "AUTH LOGIN" mode instead of auto-detecting.
 .TP
+.B auth-external
+Use SMTP "AUTH EXTERNAL" for TLS client certificate authentication.
+.TP
 .B tls
 Connect using TLS.
 This will automatically switch the default port to
diff --git a/protocols/protocol.cc b/protocols/protocol.cc
index 6c43d55..edf9cfc 100644
--- a/protocols/protocol.cc
+++ b/protocols/protocol.cc
@@ -55,6 +55,8 @@ cli_option cli_options[] = {
   { 0, "source", cli_option::string, 0, &source,
     "Source address for connections", 0 },
 #ifdef HAVE_TLS
+  { 0, "auth-external", cli_option::flag, AUTH_EXTERNAL, &auth_method,
+    "Use AUTH EXTERNAL for certificate based authentication", 0 },
   { 0, "tls", cli_option::flag, 1, &use_tls,
     "Connect using TLS (on an alternate port by default)", 0 },
   { 0, "ssl", cli_option::flag, 1, &use_tls,
diff --git a/protocols/protocol.h b/protocols/protocol.h
index 2b1c9f6..1a13e0a 100644
--- a/protocols/protocol.h
+++ b/protocols/protocol.h
@@ -13,6 +13,7 @@ extern void protocol_succ(const char* msg);
 #define AUTH_DETECT 0
 #define AUTH_LOGIN 1
 #define AUTH_PLAIN 2
+#define AUTH_EXTERNAL 3
 extern const char* user;
 extern const char* pass;
 extern int auth_method;
diff --git a/protocols/smtp.cc b/protocols/smtp.cc
index 70a624b..3bb4385 100644
--- a/protocols/smtp.cc
+++ b/protocols/smtp.cc
@@ -232,7 +232,14 @@ void protocol_send(fdibuf& in, fdibuf& netin, fdobuf& netout)
   if (!did_starttls)
     conn.docmd("", 200);
 
-  if (user != 0 && pass != 0) {
+  if (auth_method == AUTH_EXTERNAL) {
+    conn.dohelo(true);
+    if (conn.hascap("AUTH", "EXTERNAL"))
+      conn.docmd("AUTH EXTERNAL =", 200, ERR_AUTH_FAILED);
+    else
+      protocol_fail(ERR_MSG_TEMPFAIL, "Server does not advertise certificate authentication");
+  }
+  else if (user != 0 && pass != 0) {
     conn.dohelo(true);
     if (auth_method == AUTH_LOGIN)
       conn.auth_login();
diff --git a/test/accept-smtp.sh b/test/accept-smtp.sh
index 541c375..5555372 100644
--- a/test/accept-smtp.sh
+++ b/test/accept-smtp.sh
@@ -1,3 +1,9 @@
+echo 250-domain.com
+echo 250-8BITMIME
+echo 250-ENHANCEDSTATUSCODES
+echo 250-SIZE 36700160
+echo 250-DSN
+echo 250-AUTH PLAIN LOGIN
 echo 250 OK
 echo 250 OK
 echo 250 OK