I suggest that we keep it simple: 1) Use smtpd_tls_CA_file to trust ONLY the letsencrypt CA.
2) Use a new check_certname_access feature to reject out-of-doman
names. Postfix should not make 'allow' decisions based on name
information in a certificate with an untrusted CA.
Wietse
