Using openssl to verify local certs is tricky. To validate the cert try: How to verify LE cert using openssl? - #2 by _az
The chain.pem is simply the Let's Encrypt Intermediate cert used to issue your leaf (the cert.pem). This time R11 was the Intermediate (it might be R10 or others). And, fullchain.pem is just your leaf followed by that Intermediate.
I see a valid wildcard cert and chain connecting to your domain name on port 587. I may not be connecting to the same thing you are using 'localhost'.
But, the error about "local issuer" usually involves the CA Trusted Root store on your local system. openssl is not able to find ISRG Root X1. That is the root that the chain leads to.
Have you made changes since you posted? Because this test to port 587 and your domain looks good: SSL Checker
Similarly, here is part of the openssl output from my test server:
openssl s_client -connect glorytoyah.org:587 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = *.glorytoyah.org
verify return:1
---
Certificate chain
0 s:CN = *.glorytoyah.org
i:C = US, O = Let's Encrypt, CN = R11
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 3 16:57:30 2025 GMT; NotAfter: Apr 3 16:57:29 2025 GMT
1 s:C = US, O = Let's Encrypt, CN = R11
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT