just an idea, but maybe that's the problem?:
https://doc.dovecot.org/configuration_manual/authentication/proxies/
"Note
ssl_client_ca_dir or ssl_client_ca_file aren’t currently used for verifying the
remote certificate, although ideally they will be in a future Dovecot version. For
now you need to add the trusted remote certificates to ssl_ca."
Hi Markus
Thanks for your suggestion, I have a couple of questions about it though.
First, my understanding from the docs was that ssl_client_ca_* were override parameters and that in the absence of the parameters, Dovecot would default to using OpenSSL defaults ? (And building on that, as per my manual tests, you can see OpenSSL returns an "OK" on the validation).
Second, I'm dealing with standard Let's Encrypt certs here, no private PKI certs here.
Laura