Postfix SMTP client not verifying against system-wide CA certs with tls_append_default_CA

With smtp_tls_security_level = secure and default value of smtp_tls_secure_cert_match (smtp_tls_secure_cert_match = nexthop, dot-nexthop) postfix won't trust result from MX record. In other words postfix will use next-hop obtained from internal table like transport table.

That's why postfix still states Server certificate not verified. Postfix documentation clearly states that

Verified (peer certificate signed by trusted CA and verified peer name; or: peer certificate with expected public-key or certificate fingerprint)

Postfix SMTP client: The remote SMTP server's certificate was signed by a CA that the Postfix SMTP client trusts, and the certificate name matches the destination or server name(s). The Postfix SMTP client was configured to require a verified name, otherwise the verification status would have been just "Trusted".

You may to reduce the smtp_tls_security_level to verified so postfix will trusted the result of MX record and use it to verifying process. Another way was described in postfix documentation.

• Secure-channel TLS without transport(5) table overrides

  Postfix will use smtp_tls_policy_maps to do verifying process.

• Secure-channel TLS with transport(5) table overrides:

  In this case traffic to example.com and its related domains is sent to a single logical gateway (to avoid a single point of failure, its name may resolve to one or more load-balancer addresses, or to the combined addresses of multiple physical hosts). All the physical hosts reachable via the gateway's IP addresses have the logical gateway name listed in their certificates.