for smtp, use smtp certs instead of vpn certs
when sending email with a given "from" address, the client must use an smtp certificate that matches exactly this From address. this address is either the primary address or an alias. If the "from" header is for a third party domain, or an email address that is not actually associated with the user account, then the smtp certificate with the user's primary login name is used for smtp relay.
in other words: every user account can have a number of "identities". the user's primary address and all aliases are simply "identities" associated with the user account. each identity has its own address and forward, and its own openpgp key. the hard and fast rule is that whenever the client sends mail as one of the identities, it must use an smtp client certificate with a common name that exactly matches that identity's address. in all other cases, use the smtp cert that matches the user's primary identity.
(from redmine: created on 2013-10-24, closed on 2015-09-21, relates #4285)