How SSL works in general is that:
- Thunderbird connects to the mail server and says: "I'm connecting to domain X"
- The mail server looks for a certificate for "X" and responds with that
- Thunderbird confirms that it trusts that certificate ( because it came from a trusted CA like Let's Encrypt, and the domain on the certificate matches "X")
- The secure session is established
If you instead just connect to the IP address directly, then Thunderbird is going to say "I'm connecting to IP address a.b.c.d".
Since your Dovecot server does not have a trusted certificate for that IP address, it instead just picks the "default" certificate on the server, which isn't going to match the requested peer name (the IP address).
In turn, that is is going to result in a trust error in Thunderbird.
Hopefully that provides an understanding as to why you need to configure the server domain in Thunderbird to match the certificates you have installed in Dovecot and Postfix.
Yes, that is a bit of a mystery. None of those certificates seem to be available on Dovecot anymore.
I think you need to take a look in your Dovecot configuration to see what happened. It all depends how you set it up all those years ago.
How it's meant to look is a bit like this, one for each of your domains: https://wiki.dovecot.org/SSL/DovecotConfiguration#With_client_TLS_SNI_.28Server_Name_Indication.29_support.