You can run;
# testssl -t smtp localhost:25
on the shell after installing testssl.sh: Debian -- Package Search Results -- testssl.sh
and see some things that tend to go wrong. One of the main issues is that when you install hestia on subdomain.domain.com, you’ll probably have LetsEncrypt issues when the domain.com has a separate cert. My experience is to install hestia on domain.com and add subdomain.domain.com as an alias for that, but that way you will not be able to use the domain.com for normal users, which can be quite cumbersome…
A great solution from LetsEncrypt is the option for wildcard domain certs. I’ve been using that for about 6 years now, ever since it was in beta-stage, and it’s been a sigh of relief. Why would you want to create different certs for each and every subdomain, if you’re the owner of the domain anyway? Just use ONE cert for all of *.domain.com and domain.com and you’re done for all server software that needs a cert.
I also noticed that dhparam on my hestiacp server wasn’t all that nice. I recommend generating it using:
# openssl dhparam -dsaparam -out /etc/ssl/dh4096.pem 4096
and then use this dhparam file for nginx, exim, dovecot etc. For the right TLS/security config, I recommend these; https://ssl-config.mozilla.org/
Three great tips to test your mail-config:
https://internet.nl/ | //email/testTo: and Mailhardener email tools
I know, the last two are commercial, but the free advice it gives with their tests is truly priceless.