Looks fine from my side, both on pop3s

ychaouche#ychaouche-PC 13:58:25 ~ $ openssl s_client -connect 103.106.168.105:995 -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3                                                                                                                                                                                
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = emu.sbt.net.au
verify return:1
---
Certificate chain
 0 s:/CN=emu.sbt.net.au
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/CN=emu.sbt.net.au
issuer=/C=US/O=Let's Encrypt/CN=R3
---
[...]
    Start Time: 1614694135
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK Dovecot ready.
^C
ychaouche#ychaouche-PC 15:09:01 ~ $

and on pop3 with starttls


ychaouche#ychaouche-PC 15:14:28 ~ $ openssl s_client -starttls pop3 -connect 103.106.168.105:pop3 -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = emu.sbt.net.au
verify return:1
---
Certificate chain
 0 s:/CN=emu.sbt.net.au
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/CN=emu.sbt.net.au
issuer=/C=US/O=Let's Encrypt/CN=R3
---
[...]
    Start Time: 1614694499
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK Dovecot ready.
^C
ychaouche#ychaouche-PC 15:15:04 ~ $




Le 3/2/21 à 1:41 PM, Erwan David a écrit :
Le 02/03/2021 à 13:29, Voytek Eymont a écrit :

since a couple of days one of users reported getting expired certificate
error in TB, looking at the log, I can see like:

Mar 02 21:46:24 pop3-login: Info: Disconnected (no auth attempts in 0
secs): user=<>, rip=111.222.333.444, lip=103.106.168.105, TLS: SSL_read
failed: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate expired: SSL alert number 45, session=<...>


Here it is the certificate presented on the pop3 port (either port 110
with a STLS command or port 995)



but, looking at server with
https://ssl-tools.net/mailservers/emu.sbt.net.au it says 'valid' as does
certbot tool


Here it seems te site tests the smtp server (on port 25), which is not
handled by dovecot. You probably have different certificates on both.