From your description, Icewarp is currently only presenting your domain certificate (leaf/end-entity) cert, not the intermediate certificate(s) that the certificate chain is made up of, so the cert fails in Thunderbird because it used to know about the old Let's Encrypt intermediate and doesn't know about the new one, so it expects to find it in your certificate chain instead: Note regarding transition to R3 intermediate with Firefox or Thunderbird
If the actual cert is renewing OK then the task is to find out how to get Icewarp to use the correct intermediate certificates, this can sometime be done on other servers by giving it a 'chain' file containing the intermediates and the root.
I don't know the first thing about Icewarp but from your description the built in ACME client that talks to Let's Encrypt needs to be up to date, so make sure it is.
For ACME certs, http validation works by presenting a specific http response file to Let's Encrypt when they ask for it. If validation has stopped working then something has change in your configuration or the server simply needs a restart. A lot of windows ACME clients (such as the one I maintain: https://certifytheweb.com) start a temporary http listener in port 80, so you don't have to have IIS running, or it can even sit in front of IIS and just answer the acme challenges. I don't know if Icewarp has that feature.
DNS validation (also called dns-01) involves automatically asking Let's Encrypt for a challenge, this then roughly means your system has to add/update the TXT record _acme-challenge.yourdomain.com with the value specified by Let's Encrypt. To do this can involve any number of DNS APIs and whether you will be able to use that feature depends on Icewarps acme support for DNS validation, and your DNS service.
You could use Certify The Web (or other tools) to fetch your certificate then script the certificate update to Icewarp.