[ To the OP: feel free to ignore the below response, it is irrelevant. ]
> On Apr 13, 2020, at 5:22 AM, Damian <[email protected]> wrote:
>
> The validator [1] says TLSA is ok, so is this even be a DNS issue? If I
> have to guess, Postfix encounters the following situation:
>
>> When TLSA records are found, but are all unusable the effective security
>> level is "encrypt"
>
> The documentation does not state that self-signed certificates are
> invalid with the "encrypt" security level, they are with "verify".
>
> [1] https://dane.sys4.de/smtp/wrong.havedane.net
--
Viktor.
