After much gnashing of teeth, I finally went to the last resort. Note to self: ALWAYS run rpm -ql and look for documentation before running to the web.

What’s great is that RHEL’s postfix rpm comes precompiled with SASL/TLS support built in! So, other than self-edification about how SASL/TLS works with Postfix, the hours I spent researching various SUSE and Debian readmes were kind of a waste.

It turns out, you mostly just need to use the right commands within the /etc/postfix/main.cf, and source the appropriate ssl certs, and you’re good to go.

Good instructions for preparing self-signed CA plus certs are here. I’m still not sure how to get md5 working, but i’m happy with plaintext over TLS. RedHat put a lot of time and energy into making a system that’s relatively simple to administer if you don’t stray too far from normal configurations. I would have considered secure SMTP an outlier, but I was happy to find that RHEL ES does support this with a tiny bit of additional configuration.

Plus, there was a readme distributed in the postfix package all about this, a few PDF’s, and a bunch of config sample files.