I don't know of any way to do this "out of the box". Here are some ideas on how you might get it done, though:
1. Use a ".local" domain on the server, and don't include that in your letsencrypt updates
Set the primary domain name to a private value, and exclude it from letsencrypt updates. I don't know what cert would then get used by imaps or smtps, though...
2. Customize the cert settings for ldaps
ldaps uses the certificate in /var/service/ldaps/ssl/slapd.pem. To customize this, you would have to customize /etc/slapd.conf (specifically /etc/e-smith/templates/etc/openldap/slapd.conf/12tls) and /var/service/slapd/control/1 -- which does not appear to be templated (so your updates would be destroyed any time e-smith-ldap is updated). You would also have to make sure that the SME self-signed cert was regenerated when needed (annually by default) or is created with a non-standard expiration date (more than 12 months?)
3. Figure out how to use the pfSense CLI to update the cert, then create a script on the SME server that connects to pfSense and updates the cert any time the LetsEncrypt cert is updated. I couldn't find (in 5 minutes or so) anything describing this process in Googles.
4. Use a VPN or ssh tunnel between pfSense and your SME, then use unencrypted LDAP.
I have no idea if pfSense will let you do this, but I used to do it to test ldap auth against my office Active Directory from various testbeds at home. I would create an ssl connection forwarding port 389 to the ldap server, then configure the testbed to authenticate against localhost.
5. Schedule a process to update the pfSense manually
I dreaded the 90-day LetsEncrypt expiration window when I started using it. I have a problem since I need certs on two of my home systems (SME for imaps, smtps, Ubuntu for nextcloud), but I only have one IP address. I keep meaning to roll out a "permanent" solution, but here it is a year later, and I've been doing the updates manually every 2.5 months or so (I have to change the port forwarding on my firewall for port 80, then run the letsencrypt update on the system that failed...). Since I have a failing system I get handy reminder emails from Letsencrypt...
6. Buy a "real" 3 year or 5 year cert...