SNI for mail only works with 'bare' domain name (or www.domain.name for dovecot)
Summary
You can't use mail.domain.name to access email securely
Steps to reproduce
Use an SNI mail client to try to fetch / send mail using mail.domain.name as the host
What is the current bug behavior?
The certificate returned is the default for the server.
What is the expected correct behavior?
The certificate returned should be for the correct domain
Possible fixes
When generating certificates for a domain, ensure one if requested for mail.domain.name. Then add an SNI section for Dovecot to reference this. Exim looks a little trickier, as it goes directly to /srv/$tls_in_sni/config/ssl/current/ssl.combined to get the certificate.
/cc @kelduum