NB enabling TLS won’t magically fix whatever problem caused you to get CBL listed. I assume below that you’ve just decided you ought to have TLS, and this is not the right forum for you to try to diagnose whatever config errors / policy mistakes / virus-infected PC or whatever it causing you to get listed.
Divide and conquer. Your problem can be split into two smaller problems, each of which people have solved many times
-
You need to get Let’s Encrypt to issue you an appropriate certificate. The name on the certificate should be the DNS name of the MX, not the domain name it operates as MX for, nor any other name. You can easily obtain such a certificate using the Certbot tool in “certonly standalone” mode if the server doesn’t already run a web server, or using software like dehydrated or https://acme.sh/
-
You need to get Sendmail to present this certificate when people connect
You didn’t specify how you configure your sendmail. If you use sendmail.cf you will need something like
O CACertPath=/etc/letsencrypt/live/example.com
O CACertFile=/etc/letsencrypt/live/example.com/chain.pem
O ServerCertFile=/etc/letsencrypt/live/example.com/cert.pem
O ServerKeyFile=/etc/letsencrypt/live/example.com/privatekey.pem