We believe we may have identified an issue with Dovecot's handling of multi-domain SSL certs. If you have one cert signed at once for more than one of your domains (for custom mail subdomain, for IMAP/POP/SMTP), Dovecot may continue to serve an expired certificate even after successful renewal. Investigating.
This issue doesn't seem to be what it initially appeared to be. As we continue to work on it, this seems to have occurred when multiple multi domain certs were made. For example, selected Domain1 and made a cert for all domains, selected Domain2 and made a cert for all domains, selected Domain3 and made a cert for all domains. Now all 3 domains have 3 Dovecot SNI certs in conf files for each domain.
Legal content allowed, don't be a dick.