I've now tried the following to no avail:
1) Edited dovecot-openssl.cnf with boxes fqdn and details and modified mkcert.sh to
reflect correct paths and generated new dovecot.pem files for /certs/ and /private/.
2) In /etc/dovecot.conf uncommented and edited "ssl_ca_file" param to point to a
multitude of the files in /usr/share/ssl/certs
Restarting dovecot & sendmail after every change and retesting. Closing OE and
reopening and rechecking email via IMAPS or POPS generates the same warning regardless
(but can be used to quickly test, rather than waiting the 15-20 mins).
I know it's a silly thing, but it sure does look unprofessional to clients providing a
"secure" email solution that subsequently warns them of untrusted certs :(
Kindest
Brett