I am getting lots of SSL_accept errors in the mail log files as a result of not being able to receive mail from certain servers. I think this is because of the sending servers not supporting ECDSA certificates which is what Lets Encrypt uses as far as I know and is what I am using on Postfix.
I have smtpd_tls_security_level=may so I am not forcing using TLS
I don’t know if that’s actually the problem but Let’s Encrypt does provide RSA certificates as well, and most ACME clients will request RSA certificates by default unless you explicitly ask for ECDSA…
You might temporary try to raise this to 2, so you'll get TLS negotiation warning/errors.
This should be set to fullchain.pem, which would make:
unnecessary.
Although smtpd_tls_CAfilecan be used to provide a intermediate certificate, it isn't necessary, as smtpd_tls_cert_file can just use the whole fullchain file.
Perhaps some older mail transfer agents can only use protocols older than TLSv1.1?
I would suggest increasing the TLS log level first and see what really makes the negotiation fail.