Great! You should be aware that if you didn't use either
chain.pem, your configuration will be missing the intermediate certificate, which can cause problems with some browsers but not others. You could check with the site tester at https://www.ssllabs.com/.
Yes, that's right. The thing to be careful about here is that you will then also have to prove your control of the
mail domain, in the same way that you proved your control of the others. That would require you to be able to create the
/.well-known/acme-challenge on a web server running on that machine. But perhaps you don't currently have such a web server running there?
A CSR is a file that contains a request to a certificate authority to issue a certificate.
They are used internally by almost all CAs, but some CAs require users to generate them and some don't. Let's Encrypt also uses them internally, but most users using an automated client will not see the CSRs that were used behind the scenes.
The main use for CSRs with Let's Encrypt is if you have a device or hosting provider that generates its own keys (that doesn't allow or recommend for keys to be uploaded/imported). In that case, the device or hosting provider can also generate a CSR that requests to use its existing key. When that CSR is used to request a certificate from Let's Encrypt, the resulting issued certificate will refer to the appropriate public key for which the device or hosting provider already knows the private key. Then the certificate can be imported without the need to import a private key at the same time.