tls negotiation failed the certificate doesn't match the host

I'm tryin to setup Gmail send-as to send email via my SMTP server over TLS and I get "tls negotiation failed the certificate doesn't match the host" ever since I renewed my lets encrypt cert.

Background: I have a server with a dedicated IP sharing a few domain names. I'm using virutalmin/webmin. I had issues on renewal so I ran certbot manually verifying via TXT records. I created certs with CN=domain.com and SANS=domain.com,www.domain.com,mail.domain.com. mail.domain.com is an A record setup with cloudflare pointing directly to the IP (without being proxied). Note, everything worked fine before. The server shares multiple domains. The primary domain has no issues with email. It previously stopped working for dovecot and postfix because my cert did not renew with the mail.domain.com in the SANS list. It worked after fixing that. I have a second domain that has stopped working with sending. POP3/IMAP is not use as emails are just forwarded.

let's encrypt generated its files. I setup postfix SNI map to point to the cert files.

When I run openssl x509 -text on the files, I can see the CN and SANS. When I run openssl s_client -connect mail.domain.com:25 -starttls smtp, it only shows the CN not the SANS.

Sending emails with the primary domain works fine. Sending emails with the second domain gives the error. openssl gives the same result. Reading the file shows the CN=domain.com and SANS=domain.com,www.domain.com,mail.domain.com. Connecting to the smtp server only shows the CN for the respective domain.

I'm not sure what gmail is comparing to when it says "certificate doesn't match the host" I thought it was just the CN and SANS to the server name but maybe its something else?