You don't need to copy the cert out of your configuration. OpenSSL has an "s_client" subcommand which can open an SSL connection and verify the cert for you. It even knows how to do STARTTLS. Something like this ought to do it:
openssl s_client -starttls smtp -CAfile /path/to/ca/file -connect your.ironport:25
The
/path/to/ca/file is necessary to provide openssl with a cache of root CA certs. You could use
-CApath instead of
-CAfile if you have a hashed directory of root CA certs instead of a single file containing them all.
You can also point this at your partner's SMTP server as well.