If I check my XMPP Server "trashserver.net" I get the "M" score, because "h-sirius..." does not match my TLS certificate for "trashserver.net". I'm not 100% sure, but I guess the test shouldn't check against the hostname in the right value part of my SRV record, but against the original domain for the XMPP service.
Web browsers don't check the certificates against the resolved hostname of a CNAME record either, but against the original domain.
If I check my XMPP Server "trashserver.net" I get the "M" score, because "h-sirius..." does not match my TLS certificate for "trashserver.net". I'm not 100% sure, but I guess the test shouldn't check against the hostname in the right value part of my SRV record, but against the original domain for the XMPP service.
Web browsers don't check the certificates against the resolved hostname of a CNAME record either, but against the original domain.
Could you fix that?