I’ll try to explain what i am meaning…
If only some application (here not reported the name) have issues using TLS 1.2, maybe this application do not support TLS 1.2, so the refuse to connect to SMTP is due to the lack of support of TLS 1.2 by the application.
Or… I don’t know.
Your setup is not explained, the name of the applications are not expressed, maybe there can be some workaround to make NethServer act as relay with fewer security restrictions.
About a year ago i checked out a small list of some settings that should be checked and restored if somebody is taking advantage of the relaying of the server.
Maybe this list could be used for a little security flaw for allowing some of your applications to use NethServer as SMTP Relay. Only if there’s a small enough fence for the applications, like DMZ, Green, or a static public addresses.
Otherwise… you need to disclose more details for receive a security-reasonable suggestion.