Simple fix after each certificate renewal:
chmod 755 -R /etc/letsencrypt/{archive,live}; chgrp -R Debian-exim /etc/letsencrypt/{archive,live}
service apache2 restart
service dovecot restart
service exim4 restart
Deprecated : Uses too many resources, but may be useful sometime:
Install and configure incrontab as described here https://forum.ff.co.za/forum-topic/inotify-incrontab, and add the below incrontab job to the correct Certificate Name.
First create or modify the script:
$ nano /usr/local/tools/certbot-fix.sh
#!/bin/bash
chmod 755 -R /etc/letsencrypt/{archive,live}; chgrp -R Debian-exim /etc/letsencrypt/{archive,live}
service exim4 restart
service dovecot restart
$ chmod 755 /usr/local/tools/certbot-fix.sh
Be sure to change the CN, below. E.g. Where $CN is /etc/letsencrypt/archive/waspa.org.za. No trailing slash!)
$ incrontab -e
/etc/letsencrypt/archive/$CN IN_CREATE /usr/local/tools/certbot-fix.sh
Note that the above command restarts exim4 and dovecot after an automatic certificate renewal. Currently tested, working, but not used in production, yet.