To fix these, get a new cert from a public CA that matches the A record that your MX record points to, and make sure that name is on the listener.

•X.509 Certificate Subject CN Does Not Match the Entity Name
•Self-signed TLS/SSL Certificate
•Untrusted TLS/SSL Server X.509 certificate

To fix this add -DES:-3DES:-IDEA to your cipher string.
•TLS/SSL Birthday attacks on 64-bit block ciphers(SWEET32)
•TLS/SSL Server Supports DES and IDEA Cipher Suites

To fix these uncheck the box for SSL3, and I'd turn on 1.1 and 1.0 (most people have figured out that SSL3 is bad, but some stuff is still talking 1.0)
•TLS/SSL Server is enabling the POODLE attack
•TLS/SSL Server is enabling the BEAST attack
•TLS/SSL Server Suppports SSLv3

The cert on the box is a demo cert, that's selfsigned and doesn't match anything... you want the cert to match what dns name your MX record points to.  And make sure that name is on the listener external senders connect to.   I just use a wildcard cert from GoDaddy....

You could use something like this for your cipher string:

MEDIUM:HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!DES:!3DES:!IDEA:@STRENGTH

Docs here:https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

POODLE is SSLv3 specific, turning off SSLv3 will close the hole

BEAST is TLS1.0, but its a client side attack... Turn on TLS1.1... balance your real risk of it being expoited vs mail flowing

Here's a bit about it:  https://blog.qualys.com/ssllabs/2011/10/17/mitigating-the-beast-attack-on-tls