A friend of mine asked me to show him how to use encryption for his mail and webserver, so I wrote this page for him, maybe you find some info useful too
Install OpenSLL
then enter
openssl req -out certificate.csr -newkey rsa:4096 -nodes -keyout certprivate.key
this will create a private key and a certificate request, that you can use to buy SSL certificates.
if you buy a ssl key you will need send the SSL provider your csr file and get some files back from them. My SLL provider send me linux_cert+ca.pem, linux_cert+ca.pem, and certificate_company.txt An intermediate certificate authority (CA) is an entity that can sign certificates on behalf of the root CA. The root CA signs the intermediate certificate, forming a chain of trust.
Here is a link how to convert the different certificate formats. https://myonlineusb.wordpress.com/2011/06/19/how-to-convert-certificates-between-pem-der-p7bpkcs7-pfxpkcs12/
To use SLL/TSL in
Add in /etc/postfix/main.cf
# TLS parameters smtpd_tls_cert_file=/etc/ssl/private/linux_cert+ca.pem smtpd_tls_key_file=/etc/ssl/private/certprivate.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes
and in /etc/postfix/tls_policy
domain.xx encrypt .domain.xx encrypt
If you do not want to waste your money I recommend to use cert-bot https://certbot.eff.org/#debianstretch-apache, you will get free three month certificates and it is very easy to renew them.