According to https://wiki.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication the option "ssl_ca = < /path/to/ca.crt" is used, to verify CLIENT certificates during client authentication. So, I do not see, why the Let's encrypt root CA is defined here (via UCRV "mail/dovecot/ssl/cafile"), since clients usually do not use LE certificates for authentication. By default, "ssl_verify_client_cert = yes" is automatically set by the UCR template if "mail/dovecot/ssl/cafile" is set, which causes dovecot to ask clients to send a certificate during authentication. Luckily, auth_ssl_require_client_cert = yes" is not set by default. Otherwise, no client would be able to connect to dovecot. If a client automatically sends a certificate, I suspect that it will fail with the LE root CA set in the option "ssl_ca". Due to Bug 50105, the config option "ssl_ca" is currently not correctly filled with a proper root CA, which might prevent problems with certificate-sending clients and LE app on the mailserver.
This issue has been filed against UCS 4.4. UCS 4.4 is out of general maintenance and components may have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.