Postfix SSL-Intermediate-CA

Postfix has a perfect documentation. For your subject: http://www.postfix.org/TLS_README.html

In particular, you have a problem because Postfix couldn't find a complete certificate trust chain up to trusted CA. You have to provide that chain with your end server certificate.

This means you have to include all intermediate CAs into certificate bundle you provide to Postfix, end server certificate being first, then all CAs from bottom to top-level:

cat server_cert.pem intermediate_CA.pem > server.pem

We implemented key into own file, so my configuration looks like this (in main.cf):

smtpd_tls_cert_file = /path/to/server.pem
smtpd_tls_key_file = /path/to/server.key

Of course, key file should be kept secure, available for read only to root (Postfix starts as root, reads it and then drops privileges). You can include certificate chain and key both in a single file and then specify same file in both settings.

This is only smtpd (SMTP server component) configuration. Postfix has also a SMTP client component which it uses to connect to other servers when it transmits outbound mail. A client has its own configuration, usually you have to use another certificate. Server certificates should have a "SSL server" purpose, while client certificate will need a "SSL client" purpose. See manual page I linked to for details.