Review these setting options, especially the Recipient Encryption options.
Since Recipient Encryption can be None or Preferred, clearly the internal SMTP server need not do TLS, but it could.
Required — The sender SMTP server must negotiate encryption with the Firebox.
None — The Firebox does not negotiate encryption with the sender SMTP servers.
Optional — The sender SMTP server can negotiate encryption with the receiver SMTP server. TLS encryption depends on the encryption capabilities and settings of the receiver SMTP server.
Required — The Firebox must negotiate encryption with the recipient SMTP server.
None — The Firebox does not negotiate encryption with the recipient SMTP server.
Preferred — The Firebox tries to negotiate encryption with the recipient SMTP server.
Allowed — The Firebox uses the behavior of the sender SMTP server to negotiate encryption with the recipient SMTP server.
For Q2 - from the docs:
About Certificates for TLS Encryption
When content inspection is enabled for inbound SMTP over TLS traffic, the proxy uses a certificate to re-encrypt incoming traffic after it is decrypted for inspection. You can use the default Proxy Server certificate for this purpose.
So - no, the firewall & the server do not need to use the same cert.