The id-kp-serverAuth EKU is suitable for any TLS server.
Web as in "World Wide Web", not Web as in "Website". It is suitable for mail servers. There are an enormous number of mail (IMAPS/POP3S/SMTPS) servers out there secured by Let's Encrypt certificates.
Certificates are signed by a private key, not by another certificate. Clients should be able to build a trust path to the self-signed, unexpired "ISRG Root X1", even if the cross-signed "ISRG Root X1" certificate chains to the expired "DST Root CA X3".
There is more information about that in this post: OpenSSL Client Compatibility Changes for Let’s Encrypt Certificates. Modern versions of OpenSSL/GnuTLS/NSS/SecureChannel/whatever shouldn't encounter issues.
Do you know what TLS library+version your deployment of sendmail is built with?