Certificate for Postfix/Dovecot

I don’t know what I messed up, but I had a certificate working fine for my mail service last year. When it was time to renew a few months back, I tried to use LetsEncrypt to cert the server hostname (Virtual console and mail services) and it didn’t work, since it seems that only works for existing virtual hosted domains and the server hostname itself is not a Virtualmin account on its own.

So I then manually uploaded my new certs:

Certificates for Postfix in:

Key for Postfix in:

CA in:

For Dovecot:
Cert in:

Key in:

Ca in:

Then it worked again in Outlook. No cert complains anymore but something is wrong. I’m sure something is wrong because I cannot configured the email accounts in Android anymore. It will not accept the certificate saying its not trusted. I also get the same cert error when I try the Outlook Android app.

I think I have messed something with the last file:

I cannot remember but I think I used a .pem or chained file there before. I’m sure about one thing. It was working fine in the Android email app and Android Outlook and now the new certificate does not.

Now it only works in Outlook Desktop in the web browser (virtualmin, usermin, webmin, etc). (no complaints what so ever there) but for some reasons Android is rejecting the cert when I try IMAP or POP. I think something is wrong with the chain file or the last CA file. But I cannot find what exactly I’m suppose to put here. I used the CA cert from Geotrust, but I think that is wrong, and maybe it should be chained? I also find it strange that I don’t have to specify the CRT anywhere. That alone makes me thing something must be wrong, I did not generate the CRT in the server.

The reason it worked before, is because I was using the same cert I had in a domain, so I used the Virtualmin copy feature (it was a wildcard so it worked). But that domain cert now does not match my server hostname anymore. I cannot copy the cert from that domain. I do have other certs installed in 3 other domains in Virtualmin. They work fine for Apache, but the problem is that Postfix and email server run on another IP, the hostname of the server.

And here comes the strange part. The cert also works fine for the Virtuamin console https://server.domain.tld:10000

No complaints, in any browser. How can I use the same certificate Virtualmin/Webmain is using for the mail services? That certificate matches the mail server, and that is what I used in the above files, but something must be wrong as Android is not accepting it as trusted. I cannot figure out why Outlook Desktop and browsers seems to be fine with it, but Android hates the cert.

Help would be appreciated to tell me what to check. What exactly is required in the CA file for Postfix and Dovecot? And where do I put the CRT for those services?