It appears that some naïve deployments of Mailcow have a default SMTP server private key and certificate, that is the same for all users. Since the "private key" is bundled with the software, its is not in fact "private", anyone can get a copy. Some users of Mailcow are apparently unaware of this and even publish DANE TLSA records for the underlying shared certificate:

    name = mail.example.org
      Issuer Organization = mailcow
      notBefore = 2016-12-13T10:11:00Z
      notAfter = 2019-11-28T10:11:00Z
      Subject CommonName = mail.example.org
      Subject Organization = mailcow
      pkey sha256 = 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd

I don't know whether the Mailcow software has since been updated to no longer do this on new installs, but in any case, more broadly I'd like to make two suggestions:

Some example TLSA records:

qname usage selector mtype data
_25._tcp.mail.eble.com.br3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.phase8.ch3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.ptl.cloud3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.bauer.cologne3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.a3th.com3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.ingelistic.com3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.webmail.krokbv.com3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.host.mailtechies.com3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.support.storagesmash.com3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.barner-hosting.de3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.srv2.farene.de3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.xf5.de3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.judrey.eu3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mailbox.ajsrv.fr3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.sebilo.fr3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.e-corporation.info3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.beta.held.is3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.atommail.me3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.aidanpr.net3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.smtp.arrakeen.net3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.telecomstore.nl3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.ykc.nl3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.three2.one3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.ns3121353.demonsvols.ovh3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mailcow.mybreizh.ovh3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.stepanovsky.ovh3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.notoffline.se3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.ampla.tech3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mx.hkar.uk3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
_25._tcp.mail.storemy.work3112ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd