On Mon, Aug 22, 2022 at 02:09:26PM -0700, nate wrote: > postfix/smtp[7329]: Untrusted TLS connection established to > example-com.mail.protection.outlook.com[104.47.55.110]:25: TLSv1.2 with > cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > > I assume it says Untrusted because Postfix doesn't have any CAs that it > is configured for?
Correct, because there's no point. Mail would be sent whether the certificate is trusted or not, and whether or not the DNS-ID matches expectations. Setting up a TLS policy for each domain that's hosted by Microsoft is unrealistic, and they don't yet support DANE (but this is planned). -- Viktor.