A friend of mine asked me to show him how to use encryption for his mail and webserver, so I wrote this page for him, maybe you find some info useful too

Install OpenSLL

then enter

openssl req -out certificate.csr -newkey rsa:4096 -nodes -keyout certprivate.key

this will create a private key and a certificate request, that you can use to buy SSL certificates.

if you buy a ssl key you will need send the SSL provider your csr file and get some files back from them. My SLL provider send me linux_cert+ca.pem, linux_cert+ca.pem, and certificate_company.txt An intermediate certificate authority (CA) is an entity that can sign certificates on behalf of the root CA. The root CA signs the intermediate certificate, forming a chain of trust.

Here is a link how to convert the different certificate formats. https://myonlineusb.wordpress.com/2011/06/19/how-to-convert-certificates-between-pem-der-p7bpkcs7-pfxpkcs12/

To use SLL/TSL in

Add in /etc/postfix/main.cf

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/private/linux_cert+ca.pem
smtpd_tls_key_file=/etc/ssl/private/certprivate.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

and in /etc/postfix/tls_policy

domain.xx           encrypt
.domain.xx          encrypt

If you do not want to waste your money I recommend to use cert-bot https://certbot.eff.org/#debianstretch-apache, you will get free three month certificates and it is very easy to renew them.