Yes, once the certificate in question is in live use by Postfix, the command you posted will output its "3 1 1" record with $myhostname as the TLSA base domain. If (atypically) your inbound email arrives to a different name for the host, use that name instead. As for "infrequent manual rekeying", I hope and expect that [not too far in the] future improvements to "certbot" will make that easier. For now it is difficult to automate reliably. See my ICANN61 slides for ideas.