Well, I didn’t get any supporting information from carrd.co except they claimed to use “opportunitistic TLS” that should fall back to an unencrypted connection.
The one mail server health test that I wasn’t passing was the SMTP banner didn’t match the domain provided by the reverse DNS PTR record. Elsewhere on meta I turned up the idea of adding to mail-receiver.yml under env:
POSTCONF_smtpd_banner: forum.tasat.org ESMTP $mail_name
This resolved the flag re. SMTP banner mismatch, and the incoming mail failures changed from disconnecting at HELO to disconnecting at STARTTLS.
I finally enabled TLS, and email from the contact form comes through.
With the process now working, though, it’s illuminated some flaws in my whole idea of ingesting topics via a web form. But that’ll be another topic.