MX Record Port 25: mx.centurylink.net
SSL Binding Port 25:*.mx.a.cloudfilter.net
This looks like a proper rejection. Neither the certificate nor the SAN match the requested hostname. This is likely a misconfiguration of the recipient domain.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0b:d2:85:6a:6c:ef:0a:df:51:fc:61:82:12:59:5b:76
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
Validity
Not Before: Sep 6 00:00:00 2023 GMT
Not After : Sep 5 23:59:59 2024 GMT
Subject: C=US, ST=California, O=Proofpoint, Inc., CN=*.mx.a.cloudfilter.net
...clipped...
X509v3 Subject Alternative Name:
DNS:*.mx.a.cloudfilter.net
The nice thing about security lock-downs of major providers, e.g. Google, is mail server and DNS misconfigurations will be forced to be resolved. I consistently have to deal with "well, it works with x service, the problem must be you" when addressing bad SPF or DMARC records, or improperly configured DNS.