During an SMTP TLS handshake, the remote MTA (message transfer agent) may issue a Certificate Request:
Usually, Certificate Request is not part of the SMTP TLS handshake:
If an MTA issues a Certificate Request, Encryption Management Server sends a zero length certificate:
Encryption Management Server does not support Certificate Requests during the SMTP TLS handshake. Therefore, in compliance with section 7.4.6 of RFC 5246, it sends a zero length certificate:
If no suitable certificate is available, the client MUST send a certificate message containing no certificates. That is, the certificate list structure has a length of zero.
Symantec Encryption Management Server 3.4.2 and above.
Since Encryption Management Server does not send its certificate in response to Certificate Requests, if you require a certificate to be sent you will need to configure Encryption Management Server to proxy to an MTA that does send its certificate.
Client certificates are not usually needed, and can cause problems in configurations that work well without them.
Note that Encryption Management Server 3.4.2 MP2, 3.4.2 MP3, 3.4.2 MP4, 3.4.2 MP5, 10.5 and 10.5 MP1 cannot proxy to an MTA that issues Certificate Requests. This was resolved in release 10.5 MP2. Please see article 214990 for further details.