ssl_cert = </etc/ssl/letsencrypt/idaweb-mail.rooot.de/fullchain.pem
ssl_key = </etc/ssl/letsencrypt/idaweb-mail.rooot.de/key.pem
ssl_ca = </etc/ssl/letsencrypt/idaweb-mail.rooot.de/ca.pem
This is wrong, it should be:
ssl_cert = </etc/letsencrypt/live/idaweb-mail.rooot.de/fullchain.pem
ssl_key = </etc/letsencrypt/live/idaweb-mail.rooot.de/privkey.pem
The address idaweb-mail.rooot.de does not resolve. There is a
webmail.rooot.de , but its certificate is for mail.rooot.de , which is
wrong. There is also a mail.rooot.de , whose certificate is also for
mail.rooot.de , which is okay.
Yet another possibility (but it seems less likely given that an Apple Mail
from 2016 is a reasonably recent mail client) is that it does not support
recent enough SSL protocols, which were enforced by your server upgrade.
See the entries for MinProtocol and CipherString in the openssl.cnf file
on the server.
Gregory
