On Mon, Aug 22, 2022 at 02:09:26PM -0700, nate wrote:
> postfix/smtp[7329]: Untrusted TLS connection established to
> example-com.mail.protection.outlook.com[104.47.55.110]:25: TLSv1.2 with
> cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> I assume it says Untrusted because Postfix doesn't have any CAs that it
> is configured for?
Correct, because there's no point. Mail would be sent whether the
certificate is trusted or not, and whether or not the DNS-ID matches
expectations.
Setting up a TLS policy for each domain that's hosted by Microsoft is
unrealistic, and they don't yet support DANE (but this is planned).
--
Viktor.
