SSL Certificate not valid on SNI server - Dovecot/Postfix

I've got a Dovecot/Postfix server running on a Raspberry Pi running Raspbian 10 (Buster) I have two domain names running on the same server which for privacy I'll call DOMAIN 1 and DOMAIN 2. Both have e-mail addresses associated with them, and both domains send and receive e-mail fine.

HOWEVER, whenever I try to check e-mail particularly with Outlook, I get a warning for DOMAIN 2 "The server you are connected to is using a security certificate that cannot be verifed. The target principal name is incorrect." but not for DOMAIN 1.

When I 'View Certificate' the certificate claims it is issued to DOMAIN 1.

I have the domains set up using SNI with DOMAIN 1 as the default in both Dovecot and Postfix as follows:

/etc/postfix/vmail_ssl.map
mail.DOMAIN1.com /etc/letsencrypt/live/DOMAIN1.com/privkey.pem /etc/letsencrypt/live/DOMAIN1.com/fullchain.pem
mail.DOMAIN2.com /etc/letsencrypt/live/DOMAIN2.com/privkey.pem /etc/letsencrypt/live/DOMAIN2.com/fullchain.pem

/etc/dovecot/ssl-sni.conf
local_name mail.DOMAIN1.com {
ssl_cert = </etc/letsencrypt/live/DOMAIN1.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/DOMAIN1.com/privkey.pem
}
local_name mail.DOMAIN2.com {
ssl_cert = </etc/letsencrypt/live/DOMAIN2.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/DOMAIN2.com/privkey.pem
}

and as follows in Dovecot's SSL Conf

/etc/dovecot/conf.d/10-ssl.conf
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
#ssl_cert = </etc/dovecot/private/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.key
# default
ssl_cert = </etc/letsencrypt/live/DOMAIN1.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/DOMAIN1.com/privkey.pem

# DOMAIN2.com
local_name mail.DOMAIN2.com {
        ssl_cert = </etc/letsencrypt/live/DOMAIN2.com/fullchain.pem
        ssl_key = </etc/letsencrypt/live/DOMAIN2.com/privkey.pem
}

I'm not massively experienced with setting this stuff up, but it looks to me like Dovecot is serving the SSL certificate for DOMAIN1 as the default in all circumstances, and not serving the certificate for DOMAIN2 when a connection is made to check mail for that domain... Although I might be entirely wrong... Can anybody suggest what I've done wrong and what I need to do to make SNI work properly? I've tried my best, but my best just doesn't seem to be good enough...

Thanks!

I ran into the same problem as you. I deleted all previous certficates from letsencrypt but the latest however while testing the certificate via:

openssl s_client -connect localhost:25 -servername mail.mydomain.com -starttls smtp

I was still presented with an old certificate. The solution I found it to rebuild the vmail db.

postmap -F hash:./vmail-ssl.map