Either get some cert or self-sign one, which used to be a common practice for SMTP… But Gmail, Yandex and Mail.ru finally shows some cert validation warnings to the users.
Now you also need to be able to check remove certificates hence (assuming no chroot)
$OPENSSL_HOME/bin/c_rehash /etc/openssl/certs
#inbound
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_CApath = /etc/openssl/certs
smtpd_tls_cert_file = /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem
#smtpd_tls_cert_file = /etc/openssl/selfsign.cer
#smtpd_tls_key_file = /etc/openssl/selfsign.key
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_ciphers = high
#outbound
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CApath = /etc/openssl/certs
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
smtp_tls_mandatory_ciphers = high
#both directions
smtp_enforce_tls = yes
smtp_tls_enforce_peername = yes
#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
#default !SSLv2, !SSLv3
#inbound - checking client cert - too harsh #smtpd_tls_req_ccert = yes #smtpd_tls_ask_ccert = yes #outbound - the world might be ready smtp_tls_security_level = verify #smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop smtp_tls_verify_cert_match = hostname
Postfix TLS Support http://www.postfix.org/TLS_README.html
TLS Forward Secrecy in Postfix http://www.postfix.org/FORWARD_SECRECY_README.html
Postfix with TLS https://linuxlasse.net/linux/howtos/Postfix_with_TLS
Postfix TLS Error https://serverfault.com/questions/660241/postfix-tls-error