The "chain of trust" provided by CA's can be leaky, and a malicious (or suspicious) cert may have a perfectly valid chain of CA's.
Leaky? Do you mean because the certificate or one of the intermediary certificates might have been revoked? If not, what do you mean?
If everything validates up to a trusted root, then revocation should be all that matters, right? I know there is overhead in checking revocations. If that's the issue, then hypothetically would OCSP stapling help? (I use exim for SMTP, and it supports OCSP stapling. As far as I can tell, my IMAP server, dovecot, does not, though it's on a list as a possible future item.)
The reason I am following up on this is because of a user experience question. I'm pretty familiar with certificates and handshakes and blah, blah, blah, but lots of the people I recommend AquaMail to are just "regular folks" who mildly panic if they see something like the AquaMail "new certificate" message. I'd rather they only see such messages when it is actually likely to mean something they should pay attention to. Yesterday, I changed my certificate again, but it was signed by the same authority and had the same chain to a trusted CA. I had already said I trusted the old certificate, and I was a little surprised to be asked again.