assuming you got postfix up and running already
inbound - assuming you obtained some certs already
outbound - assuming you got your trust-store in place
Postfix can handle dual/hybrid certs since v2.6 (the legacy way) and since v3.4 (the new way with smtp_tls_cert_file). We are using the legacy way here as it is more LE friendly (no need to concatenate privkey and fullchain).
The trick here is to fine-tune and define what you mean by high…
https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to CERTS & CIPHERS
https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to STARTTLS INBOUND
https://pub.nethence.com/system/ansible/playbooks/postfix/main.cf ==> down to STARTTLS OUTBOUND
those became obsolete by smtp_tls_security_level since v2.3
smtp_use_tls = yes smtp_enforce_tls = yes
those became obsolete by smtpd_tls_security_level since v2.3
smtpd_use_tls = yes smtpd_enforce_tls = yes
smtp_tls_security_level=dane goes may as a failover, which is WRONG. Attempt to solve and patch that.Postfix TLS Support http://www.postfix.org/TLS_README.html
Postfix legacy TLS Support http://www.postfix.org/TLS_LEGACY_README.html
TLS Forward Secrecy in Postfix http://www.postfix.org/FORWARD_SECRECY_README.html
Postfix with TLS https://linuxlasse.net/linux/howtos/Postfix_with_TLS
Postfix TLS Error https://serverfault.com/questions/660241/postfix-tls-error
StartTLS https://www.ionos.com/digitalguide/e-mail/technical-matters/starttls/
What’s the best way to check if an SMTP server is SSL-enabled or not? https://serverfault.com/questions/64411/whats-the-best-way-to-check-if-an-smtp-server-is-ssl-enabled-or-not
Postfix STARTTLS only on port 25 https://serverfault.com/questions/676742/postfix-starttls-only-on-port-25/677167