It depends what you want to do?
Typically, you'd use SASL for external users to authenticate with postfix, and depending on who the users are, you can use a self generated certificate or buy one. Which to do will depend on your specific requirements. What sort of company are you, who's authenticating, where are they authenticating from? etc etc