Either get some cert or self-sign one, which used to be a common practice for SMTP… But Gmail, Yandex and Mail.ru finally shows some cert validation warnings to the users.
Now you also need to be able to check remove certificates hence (assuming no chroot)
$OPENSSL_HOME/bin/c_rehash /etc/ssl/certs
Or just get a clean bundle from curl/mozilla
#cd /etc/openssl/ cd /etc/ssl/ wget https://curl.haxx.se/ca/cacert.pem wget https://curl.haxx.se/ca/cacert.pem.sha256 shasum -a 256 cacert.pem cat cacert.pem.sha256
as for the 2020-01-01 set you should see
adf770dfd574a0d6026bfaa270cb6879b063957177a991d453ff1d302c02081f cacert.pem
tls_append_default_CA = no #smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_CApath = no smtpd_tls_CAfile = /etc/ssl/cacert.pem smtpd_tls_cert_file = /etc/dehydrated/certs/slackmx.nethence.com/fullchain.pem smtpd_tls_key_file = /etc/dehydrated/certs/slackmx.nethence.com/privkey.pem #smtp_tls_CApath = /etc/ssl/certs smtp_tls_CApath = no smtp_tls_CAfile = /etc/ssl/cacert.pem
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
#smtpd_tls_security_level = encrypt
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
#!TLSv1.1
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
smtp_tls_security_level = may
#smtp_tls_security_level = encrypt
smtp_tls_ciphers = medium
smtp_tls_mandatory_ciphers = medium
#smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
#!TLSv1.1
#smtpd_tls_CApath = /etc/ssl/certs #smtpd_tls_req_ccert = yes #smtpd_tls_ask_ccert = yes
#the default and is valid in both directions smtp_tls_enforce_peername = yes #smtp_tls_security_level = verify #smtp_tls_security_level = secure #smtp_tls_verify_cert_match = hostname (default) #smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop #smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
this became obsolete by smtp_tls_security_level since v2.3
smtp_use_tls = yes
this became obsolete by smtpd_tls_security_level since v2.3
smtpd_use_tls = yes
this became obsolete by smtp_tls_security_level since v2.3
smtp_enforce_tls = yes
this became obsolete by smtpd_tls_security_level since v2.3
smtpd_enforce_tls = yes
Postfix TLS Support http://www.postfix.org/TLS_README.html
TLS Forward Secrecy in Postfix http://www.postfix.org/FORWARD_SECRECY_README.html
Postfix with TLS https://linuxlasse.net/linux/howtos/Postfix_with_TLS
Postfix TLS Error https://serverfault.com/questions/660241/postfix-tls-error