See above. I noticed that that Postfix’s SNI SSL mapping does not automatically point to the latest Let’s Encrypt SSL certificates. Instead, when the postmap command is run, it copies the SSL and creates its own locally contained SSL set that are only the original SSL certificates. Therefore, postmap must be manually rerun every SSL certificate cycle or else you will get an error at https://ssl-tools.net/ because it does not automatically use the latest SSL certificates. A simple cron job to periodically rerun postmap -F hash:/etc/postfix/vmail_ssl.map (perhaps an hour after the acme job?) would fix this issue.
I propose the following addition:
7 1 * * * /usr/sbin/postmap -F hash:/etc/postfix/vmail_ssl.map > /dev/null