Another thing I am pondering is how best to debug the SMTP connection. tcpdump shows me the dns lookup, and a connection to the correct port (465) but the server itself (exim) gives me a "TLS error on connection from <host/ip> SSL_accept: TCP connection closed by peer", while fleetdm pops up a "sending mail: could not dial smtp host: SMTP connection error" which suggests that the "dial deadline" has been reached.

What do you get if you 

curl -vv smtp://<host>:<port>

 from the host running your Fleet server?

When you put it that way .. 🙂 -- changed the port 25 and .. STARTTLS was triggered (X=TLS1.3:AEAD-CHACHA20-POLY1305-SHA256:256); I've been too used to forcing (mobile) clients to use TLS direct. Again, thanks!