In my org all the traffic must be encrypted, even local. Unfortunately nginx doesn't support encrypted connections with SMTP backends.
This topic relates to one of my previous questions (Dynamically resolving smtp upstream hostnames) https://forum.nginx.org/read.php?2,291890,291890#msg-291890, because in case of encryption you must validate the certificate domain.