It seems like since wednesday Google Mail Servers no longer accept intermediate certificates signed using the sha1 hash algorithm.

Running the command openssl s_client -connect server.example.com:995 -CAfile cacert.pem -showcerts revealed to me that the mail server was (and still is) providing the sha1 version of the intermediate certificate.

I don't know the name of Intermediate CA that is responsible in your case (It is the 1st one in your case, it was the 2nd in my case) but I'm sure you will find a reissued Intermediate CA Certificate on the CA website. Running openssl s_client … with the -showcerts parameter should show the -----BEGIN CERTIFICATE----- block under Certificate chain where the number is 1 (it begins counting with 0 so it would be the 2nd block). You can copy that BEGIN to END CERTIFICATE block into a .crt or .cer file and open it on Windows to see the details.

For that particular Intermediate CA in my case the Root CA already had re-issued a sha256 signed version of the same certificate 4 years ago but the server admin put the old sha-1 version into the chain. In my particular case I will just ignore it because I'm no longer actively using that mail account and the admins of that mail server don't seem to be experienced in the SSL/TLS context. (In 2016 it took them 2 months to realize what was wrong and how to fix it even though I had told them in detail, and then they still didn't manage to get it 100% right.)