Hi Harland, I'd be happy to help clarify here. First, SSL/TLS isn't set up by default because it requires administrator involvement currently, and isn't necessary in all deployments. We have quite a few customers who use SmarterMail in an offline environment which won't even support SSL, so this is available as an option above and beyond the defaults.
As Patrick pointed out - the certificate selection you're doing in Settings>Bindings>Ports is a "fall-back" certificate in that this PFX will only be selected for STARTTLS/SSL IF a better certificate isn't found in the certificates directory as part of our SNI implementation. Usually I instruct customers to set this fallback cert as the system level hostname's SSL certificate so that if a client tries to connect on a domain that does not yet have SSL, they'll at least be able to continue the secure connectivity using your main hostname.
I hope that helps!
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com