as far as i know opportunistic tls is good not bad. it means, essentially, there’s an attempt to encrypt every email by default but emails won’t fail to send if the recipient service doesn’t support encryption. if you don’t have a 3rd party smtp server setup in NS today (the release notes say there are no customers with them configured, which sounds suspicious) then you’re already utilizing this. (and presumably if you have some compliance need to enforce TLS for all emails from NS, you’re already in violation.)

Exactly