Looks like there is a bug in SuSE’s implementation of postfix tls certificate handling.
smtp_tls_CAfile = Deutsche_Telekom_Root_CA_2.pem
smtp_tls_CApath = /var/lib/ca-certificates/openssl
or any other combination of CApath and CAfile does not work.
The certificate (the pem-file) cannot be found.
Simply do
smtp_tls_CAfile = /var/lib/ca-certificates/openssl/Deutsche_Telekom_Root_CA_2.pem
smtp_tls_CApath = /var/lib/ca-certificates/openssl
and all is well. 