Microsoft routinely updates their root CA certificates, in order to provide enhanced security and new cyphers.
As of August 15, 2018, the current root certificates are listed in this article from Microsoft: How Exchange Online uses TLS to secure email connections in Office 365. Use this page to find out the current vendor for the root certificate and download from that vendor.
Example: On September 3, 2018, Office 365 is changing to GlobalSign Root CA – R1.
After this point, if you turn on a forced TLS connection in the SMG, mail flow should return to normal.
For further information or troubleshooting if this fails, please contact Microsoft support.