We want to have TLSA records that fingerprint the public key instead of the certificate. The reason for that is that Let's encrypt certificates are valid for 30 days only, and there is a good chance that we will forget to update the TLSA RR accordingly. But the public keys do not change often.
In short, we want to use
3 1 2 instead of
3 0 2
Then, we just have to put the TLSA-RR into our zone, and we are set!
~$ host -ttlsa _25._tcp.mail.sokoll.com _25._tcp.mail.sokoll.com has TLSA record 3 1 2 6D97EB955607F26D7DD8961887DE734866EBABA7F49E1C4395273AB8 C1921FA2DE93FC6BE31D93894188CEA31B1F4CADF99D898C15BF12B0 A55E59DF33EFEBF2 _25._tcp.mail.sokoll.com has TLSA record 3 0 2 F34AD2AAF8939AEE6B30FF0AF3872A02BF6B6483031E930BC941A413 F8D0990B173C0C8F1B8482FB59FD3171B2C773CEA49940FC3A01F343 5A00B3BDB6B02590 ~$