Hi,
The cipher-suites, the list of ciphers which can be used is presented by the client, in either case the server sending a mail.
In case of outbound (shorted to relevant): SMG sends ehlo, receives 250 ..., SMG sends STARTTLS, receives 220 OK, SMG sends "Client Hello" including minimum encrytion version and cipher suites. After that the receiving server is sending a ip packet with the selected the cipher suite and a packet with the certificate (should include the chain).
In case of inbound: Server somewhere in the internet (Iserver later on) is sending a mail, recipient is hosted behind SMG. Iserver sends ehlo, SMG sends 250, Iserver sends STARTTLS, SMG sends 220 OK, Iserver sends "Client Hello" including cipher suites. SMG picks one of the offered (first match between offered and local allowed, prio by number offered) and sends installed public key of the certificate.
As you can see the activated ciphers on SMG apply to in- and outbound.
Thomas