I've set up https://hub.docker.com/r/tvial/docker-mailserver/ with a Letsencrypt certificate and it seems to work.
For instance, using openssl, I can connect:
openssl s_client -host test-mail.zedeler.dk -port 993
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = test-mail.zedeler.dk
verify return:1
---
Certificate chain
0 s:/CN=test-mail.zedeler.dk
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFCzCCA/OgAwIBAgISAxJ39Kupidovpu/Of4I2WSw9MA0GCSqGSIb3DQEBCwUA
[SNIP]
-----END CERTIFICATE-----
subject=/CN=test-mail.zedeler.dk
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3131 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 521C004DD2D234312D9AAF19C2CB985656676FCAE36088172CEE0064C299A990
Session-ID-ctx:
Master-Key: 68EC9097F387404A889745B92A39C7B6713FB0495DA52C486ABF88577CEF9FA4A5C8B15419B9AFC5EB817742C17CFC62
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - da bd 65 db bd 9f d7 c7-25 07 91 31 13 aa 2b 5a
[SNIP]
Start Time: 1505919651
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
1 capability
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN
1 OK Pre-login capabilities listed, post-login capabilities have more.
2 id
* ID ("name" "Dovecot")
2 OK ID completed.
3 plain
3 BAD Error in IMAP command received by server.
4 authenticate plain
+
[SNIP]
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE
4 OK Logged in
5 list "" *
* LIST (\HasNoChildren \Trash) "." Trash
* LIST (\HasNoChildren \Sent) "." Sent
* LIST (\HasNoChildren \Drafts) "." Drafts
* LIST (\HasNoChildren) "." INBOX
5 OK List completed (0.000 + 0.000 secs).
And it seems that the certificate chain works as it should:
https://ssl-tools.net/mailservers/test-mail.zedeler.dk
But when I try to set up the account in Thunderbird, I get the frustrating message "Thunderbird failed to find the settings for your email account". I can see from the server log that Thunderbird only establishes the TLS connection and disconnects again. It doesn't try to log in.
I've tried switching on debugging in Thunderbird, but it seems that the account setup panel doesn't produce any debug output.
I've tested the same setup with Evolution and it works out of the box.
Any suggestions?