There is currently no nice way to do that and while some workarounds* should be possible, they are limited in their use.
So in general you're best of using "your.plesk-server.name" as mailserver for your customers and not mail.domain.tld
* such a workaround would be to create a normal domain, name it "mail.xxxx.com" and use LetsEncrypt on that. (dns and mail service should be disabled for that)
For every further domain on your server, you can then add "mail.xxxx.com" as an alias domain and make sure it's also covered by the LetsEncrypt Certificate.
Under "Tools & Settings" -> "SSL/TLS Certificates" -> "Certificate for securing mail" you then choose the "mail.xxxx.com"s domain LetsEncrypt certicate from the server pool