If you run your own smtpd/MX and are not yet doing TLS1.2 for connections to other mail servers, before enforcing only TLS for MX-to-MX smtp traffic, a good first step is to set up to opportunistically negotiate TLS. 95% of the big mail senders (google, office365, etc) will negotiate TLS with your smtpd and transfer that way.
You can use letsencrypt in standalone mode to get free, valid public CA-signed certs for your mail server.
Self-signed will work just as well, since no MTA talking to you requires the cert to be trusted (maybe DANE is required now in that case, but I was also using self-signed before I set up DANE and peers would all use opportunistic encryption.
letsencrypt is a bit cumbersome if you want to support DANE, at least if you don’t run your own DNS or have an API to your provider’s DNS.
You can use letsencrypt in standalone mode to get free, valid public CA-signed certs for your mail server.