I see your point. But I suspect it illustrates a significant
limitation of the SSL/TLS protocol - in that SSL/TLS seems to assume
that an IP address and port number are used by only one named service.
It's been awhile since I looked at the TLS protocol but I don't recall
any way for the client to say "prove to me that you are authorized to
provide the SMTP service associated with DNS name foo.com". or did I
just forget that feature?
There's no reason a protocol can't be spec'd to let the client convey
the name of the resource before the TLS handshake begins. (In some
cases, you might want to repeat that information after the stream is
protected.) The problem is that popular existing protocols don't do
that. Look at the contortions you have to choose among to support
HTTPS "virtual hosting".