Yes. I’m using CentOS 8 and it still ships with crusty old Postfix 3.3. For SNI I think it needs to be 3.4 or higher. My domains never needed SNI since each had its own IP. But as soon as I added a sub-server with mail that shares its parent’s IP, client SSL errors like yours started showing up.
One way around it is what Joe recommends and it’s the easiest way: use the same domain for MX and client SMTP across the board. IMO, an improvement on this is to bypass mail.domain.tld and use the server’s hostname instead – that is, if you’re using a hosted domain as the server hostname’s TLD.
An alternative is to get SNI support from a newer Postfix release. There’s a tutorial for that.
Sorry, wrong nightmare. When you said “mac mail” I thought of an ugly experience I had with messages from iCloud and me-dot-com. Apparently I haven’t gotten over it.