Exchange, Smarthosts, Basic Auth and TLS

Exchange server has the capability to use TLS to encrypt email in transit to another mail server.

When used for receiving, it checks that it trusts the root certificate (so a chain of trust is established) and the CRL (Certificate Revocation List) to make sure that the certificate has not been revoked in the CDP (CRL Distribution Point).

Therefore, if you want to use a certificate from a private CA, as well as importing the private root certificate to the trusted root certificates on both sides, you also need to publish a CRL on each side that the other side can check.