That's exactly my case but avast keeps signing it with avast! untrusted, I suspect the nuance here is the fact that like the thread starter, my self-signed cert does not map to the domain it's registered to (it redirects, it's basically a virtual server with multiple mail domains and the certs all map to the server's domain and not the virtual domains).
This setup works without mailshield enabled because I imported the self-signed cert into the system keychain, but with mailshield on it asks me to trust avast! untrusted.
The invalid common name (CN) can not be an issue for the proxy - it does not check the CN, this is done by the mail client (the proxy does not know the demanded domain). So if the certificate chain is OK, then the server certificate will be resigned with the "trusted CA" regardless of the CN value. It is than the mail client's job to decide, whether the CN matches or not.
I assume your problem is in fact caused by a missing root certificate. That means your mail server in fact does not send an self-signed certificate, but a certificate signed by a "self generated" CA. In this case, you have to import the "self generated" CA's certificate to the system keychain, not the server certificate itself.
I can check this, if you give me the mail server address and the server is accessible on the internet (no login needed).