The answer is provided by Alexander on postfix mailing list.
SMTP-DANE
Outgoing:
# validate DANE
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane # or dane-only (https://www.postfix.org/TLS_README.html)
Incoming:
– setup DNSSEC for your domain (out of scope here on the postfix list)
– publish TLSA records
e.g. https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-postfix (not everything there is endorsed by several people on this list, specially not the TLS settings in part IV (interoperability vs. “do you really know what you are doing”), what you have to do depends on what you need to protect against (or which checkboxes you have to tick in a report), I provide this link as it gives a good overview about what is involved, not about the particular settings (e.g. you may want to skip large parts of part IV), you may want to use letsencrypt or similar instead of a self-signed cert, you may want to use the PKI cert in the TLSA record (or not), …).
MTA-STS
Incoming (out of scope for the postfix list):
– setup of webserver which serves the MTA-STS file
– DNS records
e.g. https://www.digitalocean.com/community/tutorials/how-to-configure-mta-sts-and-tls-reporting-for-your-domain-using-apache-on-ubuntu-18-04 (info: there exist online services and local tools to investigate TLSA reports)
Outgoing:
Postfix doesn’t come with support for this out of the box. There is https://github.com/Snawoot/postfix-mta-sts-resolver but it has drawbacks (pointed out in the docu).