Independently of the hostname (which matters as well) you'll need a certificate from a trusted provider as most devices will nowadays reject selfsigned ones (and that's what likely causes the negotionation issues). So you should get an "official" certificate for "mail.xyz.com.au" or a wildcard one for "xyz.com.au". Once you install this for GMS services things will likely start working (provided your NATting / port forwarding / whatsoever is configured properly). As it seems you own a single official IP address, so you can use the same cert for e.g. WebAccess on another box, you'll have to use another external port, of course.
In article <email@example.com>, Zexec4 wrote: > none of the Certificates align to mail.xyz.com.au.
That is a big issue, but not hard to fix. You could do the self cert to the name you want, but that still has many of the issues.
So as Mathias pointed out, you need cert(s) minted from a trusted root.
In addition to the ones you pay for, there is also LetsEncrypt that does free certs, but requires a little bit of scripting to get running, but there are plenty of examples of how to do it around.
While the pay ones have many options such as the wild card, they need to be redone every couple years. LetsEncrypt on the other hand, is a process that keeps recerting automatically (kind of their whole reason to exist).