I don't know then. Sorry.
But I just remembered that zimbra-proxy speaks "non SSL" with the zimbra-mailbox servers... If you want it to speak SSL, you have to use stunnel.
Maybe you're hitting the same "bug" that made Zimbra devs decide to go the "non SSL" way?
Did you check the bugzilla about this?
Nope.. didn't check bugzilla but googled quite extensively. I'll try some openssl s_client and s_server magic later.
Theoretically communication should be from myNginx <--> zimbraNginx and not directly to zimbra.mailbox-servers.