Hi Dan,
there are days I feel small and insignificant. You made today such a day… in a positive manner: I was allways wondering why Thunderbird does not configure my e-mail accounts correctly out of the box. I was thinking of “my fault - I did not set up the thunderbird or myserver” correct. It did not even cross my mind that there might by an autotool for this. You did not only solve one of my issues, you also tougth me something new 
… Works yout of the box, thank you so much.
As I do not know much on certificates and I do not want to make an error, can you explain / code this steps in more detail? Additionally, would this require an update if Letsencrypt certificates are renewed? I think there is some script provide by … do not rember, it was about using certificate for AD server … maybe same mechanism can be applied, too, will try to find it…
EDIT:
Best regards
Thorsten