Set up non-Onion access to WhisperBack's SMTP relay

Two recent outages discussed on #18203 (closed) highlighted some major reliability issues with the current implementation with Onion services, and demonstrated that the current monitoring does not allow sysadmins to effectively react to outages. Some workarounds were proposed and potential future improvements are in the works, but regardless, the main reason why we used an Onion service here initially is obsolete (we're not trying to hide where this service runs anymore).

At this stage, a DNS hostname + TCP (non-standard) port redirection from the virt host + Let's Encrypt certificate would do the job just fine. Given the reports are OpenPGP-encrypted I would not even bother pinning the certificate or CA (I don't want https://gitlab.tails.boum.org/tails/tails/-/issues/17110 to happen again).

For more context, see the discussion that brought us here: #18203 (comment 3192463). In particular, it includes a few mitigation ideas if it turns out we get flooded with spam once we remove the Onion layer (despite the hostname not being the MX for anything, in particular it won't be the MX for the @DOMAIN.TLD of the only allowed destination address).

Once this is set up, please let me know, and we'll do the corresponding client side work. Thanks in advance!

cc @zen who's been the one handling the outage discussion on TPA side, cc @groente who IIRC re-implemented this stuff with a different Postfix Puppet module not too long ago, and cc @boyska who was involved in #18203 (closed).