Answering my own question is bad form, I know but here it is.
For IMAP, leave the "default_host" without tls://. Adding tls:// seems to make it not honor TLS (
??)
For SMTP, add tls:// to the "smtp_server". This seems to make it honor the request
For Let's Encrypt certs on boxes that fail on their validation of them and can't be updated do the following.
For both in connection options set "verify_peer" and "verify_peer_name" to "false"
Add the CA cert as "cafile".. It can be found here (
https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem)
I left all other SSL options as their defaults.
-------------------------
For google,
// Seems to drop in to TLS when tls:// is left off and verify* set to false
$config['default_host'] = 'imap.example.com';
$config['default_port'] = 143;
// For STARTTLS IMAP
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
// certificate is not self-signed if cafile provided
// 'allow_self_signed' => false,
'cafile' => '/webs/noc2.example.com/data/certs/isrg-root-x1-cross-signed.pem',
// For Letsencrypt use the following two lines and remove the 'cafile' option above.
// 'ssl_cert' => '/webs/noc2.example.com/data/certs/imap.example.com.crt',
// 'ssl_key' => '/webs/noc2.example.com/data/certs/imap.example.com.key',
),
);
-----------
// SMTP server host (for sending mails).
// Enter hostname with prefix ssl:// to use Implicit TLS, or use
// prefix tls:// to use STARTTLS.
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
// To specify different SMTP servers for different IMAP hosts provide an array
// of IMAP host (no prefix or port) and SMTP server e.g. ['imap.example.com' => 'smtp.example.net']
// $config['smtp_server'] = 'localhost';
$config['smtp_server'] = 'tls://smtp.example.com';
// SMTP port. Use 25 for cleartext, 465 for Implicit TLS, or 587 for STARTTLS (default)
$config['smtp_port'] = 587;
// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';
// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';
// For STARTTLS SMTP
$config['smtp_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
// certificate is not self-signed if cafile provided
// 'allow_self_signed' => false,
'cafile' => '/webs/noc2.example.com/data/certs/isrg-root-x1-cross-signed.pem',
// For Letsencrypt use the following two lines and remove the 'cafile' option above.
// 'ssl_key' => '/webs/noc2.example.com/data/certs/smtp.semperen.com.key',
// ssl_cert => '/webs/noc.example.com/data/certs/fullchain.pem',
),
);