I can't answer all your questions immediately, but as long as smtpd can read the certificate it needs for TLS (typically /sys/lib/ssl/smtpd-cert.pem), tcp25 can reside in /rc/bin/service. There needs to be a corresponding key in your cpu server(s)'s bootes's factotum. We load ours automatically from bootes's secstore factotum file. It and our ssh server key look like this:
key proto=rsa service=tls owner=* size=1024 ek=10001 n=[many hex digits] !dk? !p? !q? !kp? !kq? !c2? key proto=rsa service=sshserve owner=* size=1024 ek=91 n=[many hex digits] !dk? !p? !q? !kp? !kq? !c2? Our tcp25 for the outside world ends with this invocation of smtpd: exec upas/smtpd -n $3 -gD -m /mail/lib/vfsend.alt -c /sys/lib/ssl/smtpd-cert.pem
