Self-signed will work just as well, since no MTA talking to you requires the cert to be trusted (maybe DANE is required now in that case, but I was also using self-signed before I set up DANE and peers would all use opportunistic encryption.

letsencrypt is a bit cumbersome if you want to support DANE, at least if you don’t run your own DNS or have an API to your provider’s DNS.