I've got three SME 10 systems running. All seem to have the same problem. Using Letsencrypt certificates, all are using it for any https connections, but not for email ports. Testing with openssl, ports 465, 587 and 993 are all using a self-signed certificate, not the letsencrypt one.
By comparison, the one remaining SME 9.2 system I have access to uses the letsencrypt certificate on those ports as well as 443.
Using the self-signed cert for mail is causing some problems with the latest versions of Thunderbird, which no longer seem to be able to permanently store an exception. I would also prefer to use the Letsencrypt certificate for all open ports.
Have I missed something in the setup, given that SME 9.2 is using the letsencrypt cert? I don't remember having to do anything special to get the coverage, nor can I find any notes on the subject, but it seems odd that the other ports are not covered.