There are lots of guides for setting this up such as
https://zhadum.org.uk/2015/07/25/ssl-certificate-agility-with-postfix/
but this did not work for me. Using
openssl s_client -cipher ECDHE-ECDSA-AES128-SHA -connect localhost:25 -starttls smtp
CONNECTED(00000003)
1995830688:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1399:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
After looking at my cert file I noticed:
openssl x509 -text -noout
-----BEGIN CERTIFICATE-----
MIID9zCCA5ygAwIBAgIQJDK88IzKKF3Cva9HhMswejAKBggqhkjOPQQDAjCBkDEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMT
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:24:64:3c:45:da:96:fe:eb:cd:0b:4c:9b:da:4f:
db:dd:0d:fa:e9:14:54:67:96:3e:81:3f:55:b8:1d:
36:0a:db:c7:a8:be:32:a2:5d:59:4c:dd:c6:11:78:
a4:cd:6b:12:c4:0d:76:af:6e:ef:8e:b5:78:4a:ae:
94:5a:90:ac:21:04:6a:f1:f2:6e:2e:8d:87:d8:46:
a3:54:f3:7e:f0:08:8e:81:3b:1c:0a:1d:ff:b8:a7:
fd:db:91:3a:b6:0b:48
ASN1 OID: secp384r1
NIST CURVE: P-384
from the postfix page
smtpd_tls_eecdh_grade = strong | ultra
# Underlying curves, best not changed:
# tls_eecdh_strong_curve = prime256v1
# tls_eecdh_ultra_curve = secp384r1
In my version 3.1 it defaults to strong
postconf -d | grep smtpd_tls_eecdh_grade
smtpd_tls_eecdh_grade = strong
but needs to be set to ultra to support sec384r1 which the cert was issued with. So adding the line
smtpd_tls_eecdh_grade = ultra
to main.cf made the cert work.
None of the other articles I have seen mention this so maybe it's not that common.