The validator [1] says TLSA is ok, so is this even be a DNS issue? If I have to guess, Postfix encounters the following situation:
> When TLSA records are found, but are all unusable the effective security > level is "encrypt" The documentation does not state that self-signed certificates are invalid with the "encrypt" security level, they are with "verify". [1] https://dane.sys4.de/smtp/wrong.havedane.net