This ensures that new Postfix SMTP server configurations will not accidentally run with no certificates.
RSA, DSA and ECDSA (Postfix ≥ 2.6) certificates are supported. You can configure all three at the same time, in which case the ciphersuite negotiated with the remote SMTP client determines which certificate is used.
If you publish DANE TLSA (RFC 6698, RFC 7671, RFC 7672) "2 0 1" or "2 1 1" records to specify root CA certificate digests, you must include the corresponding root CA certificates in the "server.pem" certificate file.
Remote SMTP clients will be able to use the TLSA record you publish (which only contains the certificate digest) only if they have access to the corresponding certificate.
You must allow sufficient time for any TLSA RRsets with only the old digest to expire from DNS caches.