Finally, I've been able to configure outgoing mail on
common-lisp.net using TLS on outbound connections. As it turns out, I had to resort to ACLs (setfacl/getfacl) to assign Exim's primary group (Debian-exim) read access to /etc/letsencrypt/{live,archive}. For some reason, being granted read access through the secondary group, doesn't work for Exim and leads to "Error reading file" messages in the logs.
(Consider this mail to be a test-case for mails sent through the mailing list software.)