ssl_cert = </etc/ssl/letsencrypt/idaweb-mail.rooot.de/fullchain.pem ssl_key = </etc/ssl/letsencrypt/idaweb-mail.rooot.de/key.pem ssl_ca = </etc/ssl/letsencrypt/idaweb-mail.rooot.de/ca.pem
This is wrong, it should be:
ssl_cert = </etc/letsencrypt/live/idaweb-mail.rooot.de/fullchain.pem ssl_key = </etc/letsencrypt/live/idaweb-mail.rooot.de/privkey.pem
The address idaweb-mail.rooot.de does not resolve. There is a webmail.rooot.de , but its certificate is for mail.rooot.de , which is wrong. There is also a mail.rooot.de , whose certificate is also for mail.rooot.de , which is okay.
Yet another possibility (but it seems less likely given that an Apple Mail from 2016 is a reasonably recent mail client) is that it does not support recent enough SSL protocols, which were enforced by your server upgrade. See the entries for MinProtocol and CipherString in the openssl.cnf file on the server.
Gregory