diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 2e974c035..e6eb63bb6 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -61,6 +61,24 @@
checkbox
This will disable known weak ciphers like DES, RC4 or MD5.
+
+ general.certificate
+
+ dropdown
+ Choose the certificate to use when other servers want to do TLS with you.
+
+
+ general.ca
+
+ dropdown
+ Choose the Certificate Authority which signed your certificate.
+
+
+ general.smtpclient_security
+
+ dropdown
+ Choose "none" to disable TLS for sending mail. Set encrypt to enforce TLS security, please do not use this for Internet wide communication as not every server supports TLS yet. Default is "may" which will use TLS when offered.
+
general.reject_unauth_pipelining
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
index 1bfd70ba5..208abb098 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
@@ -43,6 +43,23 @@
1
Y
+
+ cert
+ N
+
+
+ ca
+ N
+
+
+ may
+ Y
+
+ none
+ may
+ encrypt
+
+
diff --git a/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/generate_certs.php b/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/generate_certs.php
new file mode 100755
index 000000000..a36c14953
--- /dev/null
+++ b/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/generate_certs.php
@@ -0,0 +1,85 @@
+#!/usr/local/bin/php
+object();
+if (isset($configObj->OPNsense->postfix)) {
+ foreach ($configObj->OPNsense->postfix->children() as $find_cert) {
+ $cert_refid = (string)$find_cert->certificate;
+ // if eap has a certificate attached, search for its contents
+ if ($cert_refid != "") {
+ foreach ($configObj->cert as $cert) {
+ if ($cert_refid == (string)$cert->refid) {
+ // generate cert pem file
+ $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+ "\r",
+ "",
+ base64_decode((string)$cert->crt)
+ )));
+
+ $pem_content .= "\n";
+ $pem_content .= trim(str_replace(
+ "\n\n",
+ "\n",
+ str_replace("\r", "", base64_decode((string)$cert->prv))
+ ));
+ $pem_content .= "\n";
+ $cert_pem_content .= $pem_content;
+ // generate ca pem file
+ if (!empty($cert->caref)) {
+ $cert = (array)$cert;
+ $ca_pem_content .= ca_chain($cert);
+ }
+ }
+ }
+ }
+ }
+}
+
+file_put_contents($cert_pem_filename, $cert_pem_content);
+chmod($cert_pem_filename, 0600);
+echo "Certificates generated $cert_pem_filename\n";
+
+file_put_contents($ca_pem_filename, $ca_pem_content);
+chmod($ca_pem_filename, 0600);
+echo "Certificates generated $ca_pem_filename\n";
diff --git a/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/setup.sh b/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/setup.sh
index 5a153a51e..f588dedd9 100755
--- a/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/setup.sh
+++ b/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/setup.sh
@@ -30,3 +30,5 @@ chown -R root:postfix /var/spool/postfix/pid
postmap /usr/local/etc/postfix/transport
postmap /usr/local/etc/postfix/recipient_access
postmap /usr/local/etc/postfix/sender_access
+
+/usr/local/opnsense/scripts/OPNsense/Postfix/generate_certs.php
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index b9f248b5b..853266808 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -75,6 +75,16 @@ smtp_tls_protocols=!SSLv2,!SSLv3
{% if helpers.exists('OPNsense.postfix.general.disable_weak_ciphers') and OPNsense.postfix.general.disable_weak_ciphers == '1' %}
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.smtpclient_security') and OPNsense.postfix.general.smtpclient_security != '' %}
+smtp_tls_security_level = {{ OPNsense.postfix.general.smtpclient_security }}
+{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.certificate') and OPNsense.postfix.general.certificate != '' %}
+smtpd_use_tls = yes
+smtpd_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem
+{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.ca') and OPNsense.postfix.general.ca != '' %}
+smtpd_tls_CAfile = /usr/local/etc/postfix/ca_opn.pem
+{% endif %}
{% if helpers.exists('OPNsense.postfix.antispam.enable_rspamd') and OPNsense.postfix.antispam.enable_rspamd == '1' %}
smtpd_milters = inet:localhost:11332