OH3: IMAP STARTTLS failure

I tried monitor INBOX on my own imap server (zimbra), but It doesn’t work. Connection by mail client working without issue, but when I connect with imap binding:

UID: mail:imap:97a967c128
label: IMAP Server
thingTypeUID: mail:imap
configuration:
  refresh: 60
  hostname: zimbra2.pavkamlc.cz
  password: hesloheslo
  security: PLAIN
  port: "7143"
  username: openhab@pavkamlc.cz
channels:
  - id: ImapInbox
    channelTypeUID: mail:mailcount
    label: ImapInbox
    description: ""
    configuration:
      folder: INBOX

I always get only this error (TRACE for this handler enabled):

[INFO ] [binding.mail.internal.POP3IMAPHandler] - error when trying to refresh IMAP: STARTTLS failure

When I switch to TLS, binding doesnt work because there is cert from my own CA:

[INFO ] [binding.mail.internal.POP3IMAPHandler] - error when trying to refresh IMAP: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What I’m doing wrong?

Karaf
  Karaf version               4.3.7
  Karaf home                  /usr/share/openhab/runtime
  Karaf base                  /var/lib/openhab
  OSGi Framework              org.eclipse.osgi-3.17.200.v20220215-2237
JVM
  Java Virtual Machine        OpenJDK 64-Bit Server VM version 18.0.2.1+1
Operating system
  Name                        Linux version 4.18.0-425.13.1.el8_7.x86_64
  Architecture                amd64

Root cause should be the same for STARTTLS.
While with STARTTLS the encryption negotiation is started on demand for TLS it’s done by default when the session is initialized.
In both cases you need to make the binding / OH / Java aware of the public certificate of your signing CA.

See e.g. Icalendar binding with self signed certificate: SunCertPathBuilderException which is a different use case but also an own CA is being used.