I don't know if what I read time ago about how to correctly request a CA to use with original sendmail is still important and applicable (currently I use opensmtpd).
As far as I understood, you must use your FQDN as the principal name in your certificate. That's why I use 'server.roquesor.com' (my machine name) instead of just the domain name 'roquesor.com' as the principal name. I don't know if Let's Encrypt people, since they thought their certificates mostly for web sites, didn't care about documenting this detail or if it's not important anymore. In case this is still important perhaps could be useful to mention it in the man page (or in FAQ).
