Not sure about your Nginx problem since I’m using an Apache Reverse Proxy for My Mailcow WebUI including Admin and SoGO interfaces but I can anwser right now your question about OCSP Stapling.
Thing is, Mailcow uses Postfix as MTA and Postfix developper categorically refuses to port this into Postfix.
You can read his anwser there : https://marc.info/?l=postfix-users&m=151119229905817.
The justification there is that it’s too complicated and brings more pain to deal with when it does not work than benefits, especially when using short lived certificates such as Let’s Encrypt ACME ones.
As of today I’ve been using mailcow for some months as a personnal mail solution and have yet to see my domain beeing reported or blacklisted so I guess the man know what he says.
I still hardened my setup quite a bit.
You may want to check some of my discussions about it there : https://community.mailcow.email/d/2796-pci-dss-hipaa-nist-compliance-adjustments/6 and there https://community.mailcow.email/d/2797-watchdog-container-feaks-out-if-smtpd-tls-is-enforced-on-encrypt/3
I also hardened my pfsense firewall a little :
I only opened ports 587,4190,143 and 25 since I don’t use the others and I don’t use autodiscovery and Outlook (I’m using Thunderbird as mail client and a dedicated Nextcloud Server as CalvDav / CardDav server for contacts and shared calendars).
I ususally don’t even use SoGo since Nextcloud Mail handles my minimal needs of Sieve and I find it more reliable than SoGO rules anyway.