Using secure smtp to deliver/receive emails - using a different cert. with community edition

to secure e-mail transfer I would like to use

smtp_tls_security_level = encrypt 
smtpd_tls_security_level = encrypt 

sadly, this does not work
error message is:

status=deferred (TLS is required, but was not offered by host[]) 

I tried changing the certificate from the snakeoil to a letsencrypt one acquired via lego (go-acme/lego).
I cannot upload it via the webinterface, and I am not allowed to change the option in the “MTA config file” so I chose to make a symlink for the two files:

root@ciphermail:/home/user# ln -s /etc/lego/ /etc/ssl/certs/ssl-cert-snakeoil.pem 
root@ciphermail:/home/user# ln -s /etc/lego/ /etc/ssl/private/ssl-cert-snakeoil.key 

doing this it causes the webinterface to give the error:

 A problem occurred 
Error message:Render queue error in BeginRender[Login]: Error invoking service builder method, ApplicationStateManager) (at (for service 'GlobalPreferencesManagerWS'): org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
Click here to continueContact your administrator if this condition persists 

i have no idea where to go from here.
Is there any further documentation on ssl certificates and how to change them manually?
Thanks in advance.

Checkout this post SSL_connect error to[]:10025: -1 - #4 by martijn

I think this is the same issue that you have, i.e., you changed the default which will then also require TLS when connecting to the back-end (which is not supported).

You need to change the security level only for a specific service.

In your case, do not add

smtp_tls_wrappermode = yes

Thank you Martijn for you answer.
I did not have that line in there. to test I added

smtp_tls_wrappermode = no

no change in behavior. the error still persists.

Nov 6 11:29:06 cipher mail postfix/smtp[2364]: 4SP6qy1tQ4zZcw0: to=<>, relay=[]:10025, delay=356, delays=356/0.01/0.04/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host[])

Because you changed the global postfix setting for smtp_tls_security_level it means that it will be used for all smtp connections. What you should do it to only configure this for the smtp service used for outgoing email but not for the smtp connector which sends to the local back-end.

in /etc/postfix/

smtp      unix  -       -       n       -       -       smtp
        -o smtp_tls_security_level = encrypt

Make sure you remove the line smtp_tls_security_level = encrypt from the file.

Now email sent via smtp to external should be forced to encrypt but email sent to the back-end (via the djigzo service) should not be TLS encrypted.