My MTA Exim gives the following answers openssl:
1.
prompt> openssl s_client -starttls smtp -connect mail.babai.ru:25 </dev/null 2>/dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' | openssl x509 -text -noout | grep -A7 'Serial Number'
Serial Number:
dd:a5:68:63:7a:66:af:1e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = XX, ST = XX, L = XX, O = XX, OU = XX, CN = localhost, emailAddress = root@localhost
Validity
Not Before: May 18 13:17:36 2016 GMT
Not After : May 16 13:17:36 2026 GMT
Subject: C = XX, ST = XX, L = XX, O = XX, OU = XX, CN = localhost, emailAddress = root@localhost
2.
prompt> openssl s_client -starttls smtp -connect mail.babai.ru:25 -servername mail.babai.ru </dev/null 2>/dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' | openssl x509 -text -noout | grep -A7 'Serial Number'
Serial Number:
05:9d:fc:97:95:95:f1:8d:de:24:ed:fc:aa:f1:35:24
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA 2018
Validity
Not Before: May 23 00:00:00 2019 GMT
Not After : Jun 21 12:00:00 2021 GMT
Subject: CN = mail.babai.ru
As you can see without specifying the server name, the self-signed certificate is shown localhost.
However, if you specify a server name, then a valid certificate is visible.
Nextcloud sees only a self-signed certificate and, accordingly, SMTP TLS messages are not sent until you add it to the configuration:
(array(‘ssl’=>[‘verify_peer’=>false, ‘verify_peer_name’=>false, ‘allow_self_signed’=>true])).
I really want nextcloud to learn to understand TLS SNI!