Add DANE check to Postfix configuration
I think it would be good to add
# validate DANE
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
to the default postfix configuration.
If I understand correctly this is the same as
smtp_tls_security_level = may, unless a TLSA record is present. In that case, only if the TLSA check succeeds, email is delivered.