Have a look at the Using Let's Encrypt Certificates for Mail HowTo to give you an idea of how to change your cyrus-imap configuration. Your imported certificates are under /etc/clearos/certificate_manager.d. You may need to make single file containing your certificate and intermediate/chain certificate. Optionally you can put your key in there as well and use one single file for all three parameters.

A lot of applications don't worry too much about the validity or content of certificates. To my knowledge, cyrus-imap, postfix (SMTP server), OpenLDAP and to some extent, Radius come into this category. They bootstrap their certificate on installation and just keep working whether it is valid or not. The only application I have heard which worries about certificate expiry for cyrus-imap and postfix is Outlook 2016. All other e-mail programs I've heard about just accept any dated certificate. Yhe also permanently accept self-signed certificates after the certificate has been accepted once. If you do not use Outlook2016, the main benefit I see from using a proper certificate is that you don't have to go through an initial certificate acceptance step when setting up a device. There are other minor benefits such as you can control the certificate strength and so on but not much. Cyrus-imap sets up its own certificate when installed as part up the upstream packaging and has nothing to do with our application installation, although our application installation could then insert its certificates, I suppose. OpenLDAP and postfix have out bootstrap certificate inserted when our app is installed and Radius does its own thing (there is a whacky ClearOS certificate there as well but it does nothing). In fact the Freeradius people actively suggest you do not use your proper certificates!

There is a move to upgrade the certificate manager to make it more flexible and assist with deploying certificates (and renewing current certificates) but I don't know how far it goes to deploy Commercial and Let's Encrypt certificates into other apps.

I understand. But people are being told to be suspicious of any site that produces a security error, which is a good thing given the direction of the internet. When their mail server suddenly causes Thunderbird to pop up a security warning about an expired certificate, people get concerned. At best, it doesn't make me look very competent.

Given that ClearOS already has the certificate manager, it wouldn't be too hard to provide customized packages for IMAP, SMTP and Zafara with a few altered lines in the conf files to point to these certs, so all apps on the system update automatically.

I understand what you're saying but that is not my experience with Thunderbird. My original certificate expired in 2013 and I don't remember TB ever telling me. On first use it gave a certificate warning because the certificate is self-signed and that was it. I started using Let's Encrypt in Nov '16 but initially not for e-mail. That came later, a bit before I wrote the HowTo. The only e-mail program I know which is strict about certificates is Outlook2016 - but I only know a few e-mail clients, from personal experience and forum posts.

Apparently the current certificate manager has issues with it. I know of some (not prompting for a password when importing an encrypted key, not being easily able to reuse a key to create a CSR when updating a certificate, a faulty restriction in the allowed nickname you give your certificate). A new certificate manager was being re-written, but it needs to do things like restart apps when a certificate is updates, but only if that app is using the certificate and so on.

If you can code, I'm sure you'd be welcome to contribute on GitLab. The only real contributions I can make is to scripts and configurations as I can't code in PHP (although I am just pushing through a trivial patch to app-events)

Remember that for Clearcenter, all programming effort takes time and therefore costs money if they use their own team and they have to decide on priorities.