assuming you got postfix up and running already
Either get some certs or self-sign one, which used to be a common practice for SMTP… But Gmail, Yandex and Mail.ru are finally showing some cert validation warnings to the users.
Now you also need to be able to check remove certificates hence (assuming no chroot)
$OPENSSL_HOME/bin/c_rehash /etc/ssl/certs
Or just get a clean bundle from curl/mozilla
cd /etc/ssl/ wget https://curl.haxx.se/ca/cacert.pem wget https://curl.haxx.se/ca/cacert.pem.sha256 #wget https://curl.haxx.se/ca/cacert-2020-12-08.pem #wget https://curl.haxx.se/ca/cacert-2020-12-08.pem.sha256 shasum -a 256 cacert.pem cat cacert.pem.sha256
as for Jan 2021 you should have
313d562594ebd07846ad6b840dd18993f22e0f8b3f275d9aacfae118f4f00fb7 cacert.pem 313d562594ebd07846ad6b840dd18993f22e0f8b3f275d9aacfae118f4f00fb7 cacert-2020-12-08.pem
Postfix can handle dual/hybrid certs since v2.6 (the legacy way) and since v3.4 (the new way with smtp_tls_cert_file). We are using the legacy way here as it is more LE friendly (no need to concatenate privkey and fullchain).
The trick here is to fine-tune and define what you mean by high…
tls_append_default_CA = no tls_preempt_cipherlist = no tls_high_cipherlist = ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES:!AES128:!CAMELLIA128 #smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_CApath = no smtpd_tls_CAfile = /etc/ssl/cacert.pem smtpd_tls_cert_file = /etc/dehydrated/certs/xc.os3.su/fullchain.pem smtpd_tls_key_file = /etc/dehydrated/certs/xc.os3.su/privkey.pem smtpd_tls_eccert_file = /etc/dehydrated/certs/xc.os3.su.ECC/fullchain.pem smtpd_tls_eckey_file = /etc/dehydrated/certs/xc.os3.su.ECC/privkey.pem smtpd_tls_received_header = yes smtpd_tls_auth_only = yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_loglevel = 1
smtpd_tls_security_level = encrypt
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# !TLSv1, !TLSv1.1
#smtpd_tls_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES
#smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
# !TLSv1, !TLSv1.1
#smtp_tls_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES
#smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, RC4, MD5, 3DES
#smtpd_tls_CApath = /etc/ssl/certs #smtpd_tls_req_ccert = yes #smtpd_tls_ask_ccert = yes
#smtp_tls_CApath = /etc/ssl/certs smtp_tls_CApath = no smtp_tls_CAfile = /etc/ssl/cacert.pem #the default and is valid in both directions smtp_tls_enforce_peername = yes #smtp_tls_security_level = verify #smtp_tls_security_level = secure #smtp_tls_verify_cert_match = hostname (default) #smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop #smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
those became obsolete by smtp_tls_security_level since v2.3
smtp_use_tls = yes smtp_enforce_tls = yes
those became obsolete by smtpd_tls_security_level since v2.3
smtpd_use_tls = yes smtpd_enforce_tls = yes
smtp_tls_security_level=dane goes may as a failover, which is WRONG. Attempt to solve and patch that.Postfix TLS Support http://www.postfix.org/TLS_README.html
Postfix legacy TLS Support http://www.postfix.org/TLS_LEGACY_README.html
TLS Forward Secrecy in Postfix http://www.postfix.org/FORWARD_SECRECY_README.html
Postfix with TLS https://linuxlasse.net/linux/howtos/Postfix_with_TLS
Postfix TLS Error https://serverfault.com/questions/660241/postfix-tls-error
StartTLS https://www.ionos.com/digitalguide/e-mail/technical-matters/starttls/
What’s the best way to check if an SMTP server is SSL-enabled or not? https://serverfault.com/questions/64411/whats-the-best-way-to-check-if-an-smtp-server-is-ssl-enabled-or-not
Postfix STARTTLS only on port 25 https://serverfault.com/questions/676742/postfix-starttls-only-on-port-25/677167