All, If you host a mail server, you know the painful reality of new security restrictions imposed by mail programs refusing to send or receive mail due to SSL/TLS certificate complaints. E.g. self-signed, expired ... The good news is if you also run a web server and have SSL certificates for your domain, you can use the same certificates for your mail host. I use letsencrypt.org for the web certs (free as open-source and Linux should be). After the latest round of IOS updates and having my self-signed cert expire, I decided to just bite the bullet and put my mail server(s) on real certificates so I don't have to deal with this again -- it worked. The changes for dovecot are simple, just remove any self-signed cert you were using with `ssl_dh=...` and then add the path to your full certificates in conf.d/10-ss.conf, e.g. /etc/dovecot/conf.d/10-ssl.conf ssl_cert = </etc/letsencrypt/live/rlfpllc.com/fullchain.pem ssl_key = </etc/letsencrypt/live/rlfpllc.com/privkey.pem You also need to add the cert paths to your postfix main.cf config: /etc/postfix/main.cf smtpd_tls_cert_file = /etc/letsencrypt/live/rlfpllc.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/rlfpllc.com/privkey.pem Now IOS is happy with your mail cert chain, but .. Thunderbird needs a few additional tweaks. The Thunderbird config editor changes needed are: security.OCSP.GET.enabled: true security.OCSP.enabled: 1 security.OCSP.require: true security.ssl.enable_ocsp_must_staple: false security.ssl.enable_ocsp_stapling: true Of those settings, the only one I needed to add was the first one, and the only other chnage was to toggle the setting on enable_ocsp_must_staple. The rest are already the default. If you don't run web and mail servers -- disregard :) -- David C. Rankin, J.D.,P.E.