Hi Andrew,
I didn't have client certificate and key configured because I assumed ptclient would be happy just verifying the server certificate (the CA cert for it is installed and properly referenced in imapd.conf) the same as saslauthd and lpadsearch manage with. The other parameters are all configured and as far as I can see correct, i.e. the directory and file parameters point to the correct directory and file for the CA certificate.
In case the client cert and key were needed, I tried initially with the snakeoil cert and key (no difference) and then just in case that wasn't set up as a client cert, I created a new request and generated a new client/server certificate on my windows CA which I re-exported and is now in the correct location and referenced properly in imapd.conf, but still no change to how either ldaps, or starttls are failing.
I could share the entire impad.conf, but it is debian based so has a lot of comments and a lot of commented out options before you even get to the authorization section and I will need to be really careful to modify anything company specific, so I am trying not to share it, but will if it is the only way.
Thanks
Jim