Your explanation is excellent and clear. If sendmail is configured to offer TLS, it is TLS-capable itself, and when connecting to another MTA offering TLS, will automatically negotiate a secure connection. There's a good article on this at http://www.brandonhutchinson.com/Using_TLS_with_Sendmail.html .
My own m4 file says:
dnl TLS support
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
And that, plus a self-signed certificate, was all I needed to make my server TLS-capable. You can test the capability by talking to the MTA and doing an EHLO:
[madhatta@risby tmp]$ telnet www.teaparty.net 25
Trying 193.219.118.100...
Connected to www.teaparty.net.
Escape character is '^]'.
220 : ESMTP banner removed
EHLO me
250-www.teaparty.net Hello (source address deleted), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 14000000
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
Note the 250-STARTTLS
. Once all your sendmail boxes offer that capability, they should all automatically encrypt all inter-server SMTP connections. If you want to go the extra mile, minting your own CA root and installing it on all the servers, and using it to sign each server's certificate, will enable to servers to validate each other's identities when negotiating TLS, which will add to the internal security. Minting and using your own CA is outwith the scope of this answer!