I don't pretend to be expert, but that's what works for me with postfix 3.1:
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_mandatory_ciphers = high
smtp_tls_security_level = secure
smtp_tls_secure_cert_match = nexthop
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Just checked that I have STARTTLS and handshake in tcpdump. -- With Best Regards, Marat Khalili
