To enable TLS (Transport Layer Security) for incoming and outgoing mail, you need a SSL certificate, preferably one provided by a digital CA (Certification Authority) like Comodo, Verisign, DigiCA, etc. You should put the certificate, it's key and the CA certificate bundle (a list of trusted root certificates and sub-CAs) into a directory accessible only by root, /etc/ssl in this example.
These are the required files and their meaning:
After placing the required files in place, postfix configuration must be adjusted to secure e-mails arriving to your server, from clients or from other servers:
You will probably want to enable SSL/TLS for the mail leaving your server, and you need to change few parameters referring to postfix SMTP client part:
Up: Postfix installation and configuration
Prev: Dovecot installation and configuration
Next: Greylisting with postgrey