BTW, if you end up opening upstream for TCPS, you should also tell them to add STARTTLS as an option.
openssl s_client -connect mail.domaincom:25 -showcerts -starttls smtp will help test the cert of a mail server for protocols like sieve, smtp that use starttls.