Hello, a properly configured TLS server needs to include the intermediate certificates. You do that by using the what some ACME clients call "fullchain", yes. It is not about the root CA certificate, it is about the issuer certificate, which is the intermediate certificate. Otherwise only the TLS clients that by accident have the intermediate certificate already in the cache or implement AIA fetching will be able to connect.
I strongly suggest to monitor your TLS setup with something like check_ssl_cert [1] so you are not blindsided by TLS misconfigurations like this. The "ca" directive in opensmtpd has nothing to do with any of this. The ca directive refers to the CA opensmtpd uses to client certificates, so this is unrelated. I believe you can find the details of this in "man 5 smtpd.conf" [2] although basic understanding of TLS is required, in short: pki "mx" cert should point to fullchain.cert pki "mx" key should point to the key file. cheers [1] https://github.com/matteocorti/check_ssl_cert [2] https://man.openbsd.org/smtpd.conf
