Do I need to create a SSL/TLS certificate for a send-only Postfix server which should support outgoing TLS connections?

Solution 1:

You may need to have a certificate for different purpose. Your internal clients when connecting over TLS will can check this certificate when submitting email to postfix (if the client is configured to require certificate).

According to Postfix documentation:

Do not configure Postfix SMTP client certificates unless you must present client TLS certificates to one or more servers. Client certificates are not usually needed, and can cause problems in configurations that work well without them.

This means you can leave these cert lines empty (default). In case your client really requires to check certificate validity you better use

smtp_tls_chain_files =

to provide such certificates. This is a recommended option for Postfix version ≥ 3.4.

When postfix sends an email to an external SMTP server the negotiation between these servers doesn't depend on the mentioned certificate because postfix will check the public cert of external server only.