haproxy SSL/TLS Passthrough Proxy not working?

I want to setup haproxy as simple tcp-proxy. Below is my configuration. When I try to send e-mail via Thunderbird(pointing smtp to ip_of_my_host:8123) or simple python script I get an error about not valid certificate or certificate error. I thought Layer 4 doesn't care about it at all. Isn't SSL/TLS a L7 feature? So how setup it properly?

 frontend smtp
  bind *:8123
  mode tcp
  default_backend smtp-backend

  backend smtp-backend
  mode tcp
  server s1 smtp.gmail.com:465

https://serversforhackers.com/c/using-ssl-certificates-with-haproxy

With SSL Pass-Through, no SSL certificates need to be created or used within HAproxy. The backend servers can handle SSL connections just as they would if there was only one server used in the stack without a load balancer.

EDIT:

1. python script (https://realpython.com/python-send-email/) isn't working at all. I get error "ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'jenkins'. (_ssl.c:1131)"
2. Thunderbird ask about certificate, after I allowed I can send e-mail via haproxy
3. eMClient the same as Thunderbird
4. Mailbird work like a charm without alerting about anything. Just sends e-mails through haproxy.

So I can admit that passthrough is working but it depends on the application.

Here is the output of : openssl s_client -connect 192.168.1.116:8124

CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:CN = smtp.gmail.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUTCCBDmgAwIBAgIQSRYB+y12VG0SAAAAAAWnWjANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yMjAzMTcxMTE5MzFaFw0yMjA2MDkx
MTE5MzBaMBkxFzAVBgNVBAMTDnNtdHAuZ21haWwuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAwoXST3b7VMOyFK4HgPcsnwBRZXjb0ZRHZK1LrFJn
kPQpzn/R41Q6YGaWhWd7EdF7fM4ufDiPLQeLER59sX6charYaUQ3XQEk9K8SHBvN
2eIP6ZjLb8GK/xq9dK2aaWWVARDciAIllp1IK+gsiLVMNCJWfVayw+4jPAfbIoe/
KqOXz5TdK/p2/PGdgil21f5EpScGLJpi9Vs/RbDg/oJpRfGKcSzzcxSfVvJjrQQo
q/facRtzjIa5fn2rLwOYS+HGdMOkIIGKAlwVUch6FgYfKmg+JNPGaq5M4PAicLYC
andcj63NQgvbPd67Si1gaHoCE75wZln1nwv/zJb8Hzu7NwIDAQABo4ICZjCCAmIw
DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFHS2ZnkMI1DpD4xSgXjLUmX8jhRiMB8GA1UdIwQYMBaAFIp0
f6+Fze6VzT2c0OJGFPNxNR0nMGoGCCsGAQUFBwEBBF4wXDAnBggrBgEFBQcwAYYb
aHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMWMzMDEGCCsGAQUFBzAChiVodHRwOi8v
cGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxYzMuZGVyMBkGA1UdEQQSMBCCDnNtdHAu
Z21haWwuY29tMCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYD
VR0fBDUwMzAxoC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMWMzL3pkQVR0
MEV4X0ZrLmNybDCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1ACl5vvCeOTkh8FZz
n2Old+W+V32cYAr4+U1dJlwlXceEAAABf5fRoMMAAAQDAEYwRAIgTH4pY6FHZHdo
mlC7sDEEGlVQKHZOWv0V5qX4fA9Tph4CIHdaggWPpGFZIBDLe4dmRjAr0DwWmwny
gQ1JjsTG6q5+AHYAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF/
l9Gg8gAABAMARzBFAiBgHDhRWJ8a0jA72hxlRfFUNrQaKqwloW5rltsuRp1E4wIh
AOeFjPUuzL82QRgMzzZ/xA9JtiLM16CTMnFkSmMEmc9BMA0GCSqGSIb3DQEBCwUA
A4IBAQD0JS9BZ+M0kltH4suc75AKXIwPU7qvdf4pYQLeYr0SQb2tV3wBukPpzS/U
3rZIWhxw09Pl9/AmT+Zq2jlZSlhsOMUy+G/k8YXKXgubmqxshbzT20WZrfbwjMxU
wEkDqUulDCwAp6foHRmq4Fpev2jfyw5YiES4ckgwbVfYSoX4+KcSZJo8FNgP83r/
66wsNSR8SP9Irb2bXdsyS0VYh9XkuFyNiA21YAajfJe67i5zDKRWHqwfIBTRgd+J
uOMxobxHDFksjSa6/jrA5meI2k549uraj3C8kvF0H7gQmj4gC7T+BIgZNC8ktkop
/gNu7ubTqU/7jBt/TxvAQRnQASZN
-----END CERTIFICATE-----
subject=CN = smtp.gmail.com

issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4681 bytes and written 363 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: B92656EA56305FBE58002428D4E3A798D6E2C771989210B180A04AA8956ADFD6
    Session-ID-ctx:
    Resumption PSK: E35D5877C3D7768E597B3E977E6699ABE845D0B0F1EEF12C59914BAA062E7B1BFD523C9E2C89D13EAE4F691FB4A755A9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
    0000 - 01 5f fd b4 ca df f2 bc-32 6e 8b 6b 4c 91 2a c2   ._......2n.kL.*.
    0010 - d1 3f a5 73 2c 56 6f e0-ce 0d 33 39 c1 21 f1 42   .?.s,Vo...39.!.B
    0020 - 29 73 14 4c 1e e4 ce 9d-a5 0f 5a 65 49 72 b6 0f   )s.L......ZeIr..
    0030 - 6b d5 f4 68 cd ba 7c 46-71 f2 e6 8e f9 54 49 5b   k..h..|Fq....TI[
    0040 - 1a 71 fd 6e 8e 19 a5 93-80 30 38 28 6d db 27 57   .q.n.....08(m.'W
    0050 - a6 86 aa 6c 4d ab 01 1a-2b a9 62 d0 a5 d5 94 58   ...lM...+.b....X
    0060 - 02 62 8a c1 89 46 ea bc-53 57 92 c5 b7 72 11 32   .b...F..SW...r.2
    0070 - e6 05 22 e2 88 6c 46 4a-bf 5d 06 17 2f 49 86 aa   .."..lFJ.]../I..
    0080 - 89 37 4e 48 88 1f 57 32-61 ac ea d6 91 d6 07 85   .7NH..W2a.......
    0090 - 18 63 0e bd bb f2 25 03-05 8c 4e bb 90 8e 3f 12   .c....%...N...?.
    00a0 - 69 54 97 e9 23 64 7c 26-91 39 f1 05 db 92 2a f7   iT..#d|&.9....*.
    00b0 - eb 6f 42 51 19 73 33 29-92 52 1d a9 99 60 a8 f8   .oBQ.s3).R...`..
    00c0 - 14 78 21 50 d0 37 36 62-3c 70 2f c7 41 cf cd 5d   .x!P.76b<p/.A..]
    00d0 - a3 b0 d7 1a 0f b5 b2 7a-7b dc 2b 10 af ae 68 94   .......z{.+...h.
    00e0 - 8d 59 d3 7d a7 dd fb 2e-8a ff c2 9e               .Y.}........

    Start Time: 1648990924
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 19DC37EC5E7DC298C40A28812BACBBAF30D53BEB2B53EDC681BB32847542F93E
    Session-ID-ctx:
    Resumption PSK: 13A0BEF271F8B729BBC484EA4DB724F3D28EE3A225D210B9C7EC5056EE86656B234BBD45E405CF7791EB5E1F45A48366
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
    0000 - 01 5f fd b4 ca df f2 bc-32 6e 8b 6b 4c 91 2a c2   ._......2n.kL.*.
    0010 - c1 f4 fe 02 6c 1e ab 8d-e6 a4 6a 16 d8 eb c6 d7   ....l.....j.....
    0020 - 2f 9b e4 87 ed 76 73 ae-2b c7 a7 36 81 a0 64 1a   /....vs.+..6..d.
    0030 - 58 39 67 9c 2d bd be 74-b4 05 6a d8 a4 73 02 81   X9g.-..t..j..s..
    0040 - a5 13 2f 3f 83 f6 9f 57-49 61 41 b3 64 52 e2 8f   ../?...WIaA.dR..
    0050 - 2d 0c 36 af b2 bb c8 3d-21 77 9b 0f 06 8d 55 c2   -.6....=!w....U.
    0060 - 6b 02 d1 05 dd 7c 51 70-f3 ee c2 66 07 1c 53 d9   k....|Qp...f..S.
    0070 - b7 6d 52 28 8e 5b 76 53-3d 07 3c 3c 4c ab f6 31   .mR(.[vS=.<<L..1
    0080 - 76 f9 a9 a2 ee a2 65 24-7d 2e 9a 6c 9a 4d 5d bd   v.....e$}..l.M].
    0090 - 80 4f 37 32 b8 59 d3 b7-e1 ae 54 15 61 0a d6 e3   .O72.Y....T.a...
    00a0 - b8 7c bf 0f c6 47 74 64-71 42 fe 03 13 3b 0c 87   .|...GtdqB...;..
    00b0 - 0c 7f e7 3c 10 93 b9 d9-33 26 6b 6c f1 c4 c2 89   ...<....3&kl....
    00c0 - 18 75 b2 c7 11 8a 64 1b-09 36 56 00 27 9e d0 30   .u....d..6V.'..0
    00d0 - 7e f1 1e e5 f4 cc 15 ba-0c 41 ee 28 13 3b c8 33   ~........A.(.;.3
    00e0 - 79 d6 a0 e5 59 61 03 53-da 91 7b 32               y...Ya.S..{2

    Start Time: 1648990924
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
220 smtp.gmail.com ESMTP a3-20020a195f43000000b0044a997dea6bsm821316lfj.288 - gsmtp

Since you pass the connection through to Gmail, the client also gets the Gmail certificate, which obviously is only valid for the Gmail host.

The certificate must contain the hostname you are connecting to, otherwise it is not valid.

Since the Gmail certificate does neither contain your IP address nor any of your hostnames, it's invalid from the clients point of view.

You either need to configure your local DNS server to resolve smtp.gmail.com to your own IP address, or you need to implement SSL termination on your haproxy.