The secondary is configured to verify DANE TLSA when relaying mail
to the primary, so the problem report to "info", and indeed pretty
much all mail to the system in question is queueing on the secondary
MX host, waiting for the primary MX TLSA records to be fixed!
Only "postmaster" email gets through to its destination (if the
sending system does not validate TLSA records, which is naturally
the case for my outbound "please fix your TLSA records" notices).
The main lesson here is not implement Greylisting on only a subset
of your MX hosts. Don't do that!
1. When greylisting, make sure that all MX hosts with equal
or worse (higher) MX preference also greylist.
2. It is harmless (though less effective) to greylist only on
(all) backup MX hosts, and skip greylisting on the primary.
It is not a good idea to greylist on the primary, and not
on the backups.
3. Monitor your DANE TLSA records, in such a way that notices
of problems get through even when the TLSA records are