The log kept saying can't read the .crt file in /etc/certificates/.
Not a permissions problem. So I tried converting the file to pem etc but still no joy.
In the end the problem was the .key file which is des encrypted. So to get OSX server to work with smtps (and possible other postfix installs) you need to leave the key exposed and remove the passkey and encryption.
openssl rsa -infile file.key -outfile outfile.key
will remove the des encryption but you need to make the permissions tight, tight, tight on that file.
Hope this saves someone some time...