submission proxy -- where to config/present client cert?

Sun Jul 19 20:18:04 EEST 2020

 I've a dovecot instance setup with submission proxy,

	protocols = imap lmtp submission sieve
	hostname = internal.mx.example.com
	submission_relay_host = internal.mx.example.com

	submission_relay_port = 465
	submission_relay_trusted = yes
	submission_relay_ssl = smtps
	submission_relay_ssl_verify = yes

	service submission-login {
		inet_listener submission {
			address = 10.2.2.10, 127.0.0.1
			port = 50465
			ssl = yes
		}
	}

	protocol submission {
		ssl_cert = < /sec/vmail/mx.example.com.server.EC.crt.pem
		ssl_key  = < /sec/vmail/mx.example.com.server.EC.key.pem
		ssl_verify_client_cert  = no
	}

It submits to a postfix instance, atm on the same host,

	[internal.mx.example.com]:465 inet n - n - - smtpd
	 -o smtpd_tls_req_ccert=no

with that setup, all works as expected.

If I turn ON required client cert verification @ postfix,

-	 -o smtpd_tls_req_ccert=no
+	 -o smtpd_tls_req_ccert=yes

with that add'l req't, postfix log reports "no client certificate presented"

	Jul 18 14:52:38 mx postfix/submit-from-dovecot/smtpd[37133]: connect from internal.mx.example.com[10.2.2.10]
	Jul 18 14:52:39 mx postfix/submit-from-dovecot/smtpd[37133]: Anonymous TLS connection established from internal.mx.example.com[10.2.2.10]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	Jul 18 14:52:39 mx postfix/submit-from-dovecot/smtpd[37133]: NOQUEUE: abort: TLS from internal.mx.example.com[10.2.2.10]: No client certificate presented
	Jul 18 14:53:09 mx postfix/submit-from-dovecot/smtpd[37133]: disconnect from internal.mx.example.com[10.2.2.10] commands=0/0

Clearly, I'm missing config.

What in my dovecot submission config^^ do I need to change/add to get it to 'present' a client cert to the postfix relay for client cert verification?