Make sure you are serving the proper intermediate certificate.
Tools like testssl.sh (interactive) or check_ssl_cert (for monitoring) can help you there. And you want to continue to monitor this.
No. Port 587 is plaintext SMTP with a STARTLS upgrade to SSL/TLS. You can’t configure haproxy do this this, because haproxy does not speak SMTP at all.
Haproxy can terminate SSL on implicit SSL speaking ports only, for example port 465.
If your setup allows, drop port 587 altogether, it is considered obsolete: