I am migrating from 2010 to 2013 and am running into issues getting the scanners and other apps to use TLS authentication prior to my cutover of the CAS -> 2013 servers.

The client FE connector is already listening on 587 so i figured I'd just leverage that.  It still has the default settings at this time so I would think it would just connect.  Unfortunately the devices are unable to send authenticated emails using TLS on this connector.  I then started to think, what if it is the certificate causing issues.  Since I still have not cut the users over to the new servers, my normal dns name mail.domain.net is still pointing at the old servers.  I then took an old SAN name from the cert (mail.domain2.net) and pointed it at the new servers.  Then told the TLS clients to use that name as the mail server ip / dns name.  No go still.  

What am i missing here?  I have been racking my brain trying to get this up and running and I am just incredibly frustrated at this point.  

• Does a TLS connection check the certificate of the server
• Does the host name have to match
• How can I see specifically why this is failing (cert issue / UN -pass issue / etc)