I've been able to replicate this now, but I'm not seeing any recent change in behaviour, I've tried with mutt versions going back to 2.0.7 with the libressl version in 7.1, and on 7.0 with the current version of mutt in packages for release, and they all behave the same.
It's not specific to any particular mail server but requires ssl_usesystemcerts=no. Avon: to workaround your problem, remove "set ssl_usesystemcerts=no", it will then validate against /etc/ssl/cert.pem and avoid asking you each time. But I don't see what could have changed recently that is triggering it. Test case: $ cat .muttrc-test set certificate_file="~/.mutt_test_certificates" set pop_host="pops://test_libressl_is...@mail.spacehopper.org:995" set ssl_usesystemcerts=no $ rm .mutt_test_certificates $ mutt -F .muttrc-test <hit G, "fetch-mail"> <hit a, "accept always"> ^C, exit repeat trying to fetch mail With the "ssl_usesystermcerts=no" config, I would expect that mutt would need to save all of (server, intermediate, CA) certificates to its cert file, in order that it can verify in future. What actually happens is the server certificate is saved, not the CA or intermediate certificate, and *somehow* the validation succeeds if you append _any_ self-signed certificate (e.g. tail -25 /etc/ssl/cert.pem >> .mutt_test_certificates). Not sure if this is a Mutt problem or a LibreSSL one. I haven't compared with a build done against OpenSSL rather than LibreSSL yet (the only other install I have handy right now is Debian and their Mutt packages use gnutls instead which don't support setting ssl_usesystemcerts at all).
