assuming you got postfix up and running already
inbound - assuming you obtained some certs already
outbound - assuming you got your trust-store in place
Postfix can handle dual/hybrid certs since v2.6 (the legacy way) and since v3.4 (the new way with smtp_tls_cert_file). We are using the legacy way here as it is more LE friendly (no need to concatenate privkey and fullchain).
The trick here is to fine-tune and define what you mean by high…
tls_append_default_CA = no tls_preempt_cipherlist = no tls_high_cipherlist = ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES # :!AES128:!CAMELLIA128
smtpd_tls_cert_file = /etc/dehydrated/certs/xc.nethence.com/fullchain.pem
smtpd_tls_key_file = /etc/dehydrated/certs/xc.nethence.com/privkey.pem
smtpd_tls_eccert_file = /etc/dehydrated/certs/ECC/xc.nethence.com/fullchain.pem
smtpd_tls_eckey_file = /etc/dehydrated/certs/ECC/xc.nethence.com/privkey.pem
smtpd_tls_received_header = yes
smtpd_tls_auth_only = yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
#smtpd_tls_security_level = encrypt
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# !TLSv1, !TLSv1.1
#smtpd_tls_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES
#smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES
# no need to check client certs
smtpd_tls_CApath = /etc/ssl/certs
#smtpd_tls_req_ccert = yes
#smtpd_tls_ask_ccert = yes
#smtpd_tls_CApath = no
#smtpd_tls_CAfile = /etc/ssl/cacert.pem
smtp_tls_cert_file = /etc/dehydrated/certs/xc.nethence.com/fullchain.pem
smtp_tls_key_file = /etc/dehydrated/certs/xc.nethence.com/privkey.pem
smtp_tls_eccert_file = /etc/dehydrated/certs/ECC/xc.nethence.com/fullchain.pem
smtp_tls_eckey_file = /etc/dehydrated/certs/ECC/xc.nethence.com/privkey.pem
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
#smtp_tls_security_level = verify
#smtp_tls_security_level = secure
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
# !TLSv1, !TLSv1.1
#smtp_tls_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES
#smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES
#smtp_tls_verify_cert_match = hostname (default)
#smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
# cannot check server certs unless we also enable DANE
smtp_tls_CApath = /etc/ssl/certs
#smtp_tls_verify_cert_match = hostname (default)
#smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
#smtp_tls_CApath = no
#smtp_tls_CAfile = /etc/ssl/cacert.pem
# the default and is valid in both directions
smtp_tls_enforce_peername = yes
those became obsolete by smtp_tls_security_level since v2.3
smtp_use_tls = yes smtp_enforce_tls = yes
those became obsolete by smtpd_tls_security_level since v2.3
smtpd_use_tls = yes smtpd_enforce_tls = yes
smtp_tls_security_level=dane goes may as a failover, which is WRONG. Attempt to solve and patch that.Postfix TLS Support http://www.postfix.org/TLS_README.html
Postfix legacy TLS Support http://www.postfix.org/TLS_LEGACY_README.html
TLS Forward Secrecy in Postfix http://www.postfix.org/FORWARD_SECRECY_README.html
Postfix with TLS https://linuxlasse.net/linux/howtos/Postfix_with_TLS
Postfix TLS Error https://serverfault.com/questions/660241/postfix-tls-error
StartTLS https://www.ionos.com/digitalguide/e-mail/technical-matters/starttls/
What’s the best way to check if an SMTP server is SSL-enabled or not? https://serverfault.com/questions/64411/whats-the-best-way-to-check-if-an-smtp-server-is-ssl-enabled-or-not
Postfix STARTTLS only on port 25 https://serverfault.com/questions/676742/postfix-starttls-only-on-port-25/677167