Method 1 - openssl

#!/bin/bash
SERVERNAME=mail.example.com
printf 'quit\n' | openssl s_client -connect $SERVERNAME:25 -starttls smtp | openssl x509 -enddate -noout

Method 2 - Google Chrome

Run Google Chrome and bypass the ERR_UNSAFE_PORT error by specifying the --explicitly-allowed-ports=465 option on the command line. The following command is for MacOS

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --explicitly-allowed-ports=465

Open the link to the SSL port of the email server. i.e https://mail.example.com:465 And you get a nice GUI displaying the trust chain and expiry date.

Refs:

• https://www.tummy.com/blogs/2011/06/27/getting-the-expiration-time-of-an-smtp-certificate/
• https://support.plesk.com/hc/en-us/articles/213961665-How-to-verify-that-SSL-for-IMAP-POP3-SMTP-works-and-a-proper-SSL-certificate-is-in-use