diff --git a/sendmail/manifests/init.pp b/sendmail/manifests/init.pp
index 9dcad6b..58f4646 100644
--- a/sendmail/manifests/init.pp
+++ b/sendmail/manifests/init.pp
@@ -141,8 +141,72 @@ class sendmail::client inherits sendmail::common {
 
 # Configure Sendmail submission using port 587.
 #
+# === Global variables:
+#
+#   $mail_server:
+#       Hostname of mail server.
+#
+#   $sendmail_ssl_key:
+#       Path to SSL key file used for authentication. If not set no
+#       certificate authentication will be performed.
+#
+#   $sendmail_ssl_cert:
+#       Path to SSL certificate file used for authentication. If not set no
+#       certificate authentication will be performed.
+#
 class sendmail::client::msa inherits sendmail::client {
 
+    if $sendmail_ssl_key and $sendmail_ssl_cert {
+
+        include ssl
+
+        $ssl_key = basename($sendmail_ssl_key)
+        $ssl_cert = basename($sendmail_ssl_cert)
+        file { "${ssl::private}/${ssl_key}":
+            ensure => present,
+            mode   => "0640",
+            owner  => "root",
+            group  => "smmsp",
+            source => $sendmail_ssl_key,
+            notify => Service["sendmail"],
+        }
+        file { "${ssl::certs}/${ssl_cert}":
+            ensure => present,
+            mode   => "0644",
+            owner  => "root",
+            group  => "root",
+            source => $sendmail_ssl_cert,
+            notify => Service["sendmail"],
+        }
+
+        file { "/etc/mail/authinfo":
+            ensure  => present,
+            content => "AuthInfo:${mail_server}	\"U: \" \"P: \" \"M:EXTERNAL\"\n",
+            mode    => "0640",
+            owner   => "root",
+            group   => $::operatingsystem ? {
+                "openbsd" => "wheel",
+                default   => "root",
+            },
+            notify  => Exec["make authinfo.db"],
+        }
+        exec { "make authinfo.db":
+            path        => "/bin:/usr/bin:/sbin:/usr/sbin",
+            command     => "makemap hash /etc/mail/authinfo < /etc/mail/authinfo",
+            refreshonly => true,
+            notify      => Service["sendmail"],
+        }
+        file { "/etc/mail/authinfo.db":
+            ensure  => present,
+            mode    => "0640",
+            owner   => "root",
+            group   => "smmsp",
+            require => Exec["make authinfo.db"],
+            before  => Service["sendmail"],
+        }
+
+    }
+
     File["/etc/mail/submit.mc"] {
         content => template("sendmail/submit.mc.erb", "sendmail/submit.mc.msa.erb"),
     }
diff --git a/sendmail/templates/submit.mc.msa.erb b/sendmail/templates/submit.mc.msa.erb
index 24261a7..ff777f2 100644
--- a/sendmail/templates/submit.mc.msa.erb
+++ b/sendmail/templates/submit.mc.msa.erb
@@ -1 +1,7 @@
+<% if @ssl_key and @ssl_cert -%>
+define(`confCLIENT_CERT', `<%= scope.lookupvar('ssl::certs') %>/<%= @ssl_cert %>')
+define(`confCLIENT_KEY', `<%= scope.lookupvar('ssl::private') %>/<%= @ssl_key %>')
+define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')
+FEATURE(`authinfo', `DATABASE_MAP_TYPE /etc/mail/authinfo')dnl
+<% end -%>
 FEATURE(`msp', `[<%= @mail_server %>]', `MSA')dnl