IMAP TLS connection to Dovecot fails
First thing I would do would be to update the client.
What is happening here is an attempted protocol downgrade. That is, the client is trying to downgrade from TLSv1 to SSLv3, or from any higher version of TLS to a lower version. (Exactly which is not clear from the logs, and would require more verbose OpenSSL debugging to be enabled, but that particular detail is not really relevant.)
The reason that the protocol downgrade is failing is that your server has protocol downgrade prevention (TLS_FALLBACK_SCSV) enabled, as a mitigation for the POODLE attack.
So, the first thing to check is to make sure the client is up to date; that means at minimum Thunderbird and its supporting libraries.
After that I would check the protocol list. I'm concerned that you didn't specify TLSv1, TLSv1.1 and TLSv1.2 explicitly. While this shouldn't make a difference, as these ought to be enabled by default, it might help.
ssl_protocols = TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2
Finally, there's the rare possibility that you caught someone attempting to attack your connection, and the attack was thwarted.