[abverma]

You might want to switch to Lets Encrypt or a paid SSL certificate provider.

https://en.wikipedia.org/wiki/StartCom#Criticism

https://blog.mozilla.org/security/2016/10/24/distrusting-new...

https://wiki.mozilla.org/CA:WoSign_Issues

[ProxCoques]

LetsEncrypt needs port 80 open to the outside so that it can verify/renew certificates. I don't have port 80 open on the mail server though.

[Whitestrake]

LetsEncrypt actually has multiple options available for validation. Only one challenge type, http-01, requires port 80 to be open. Another, tls-sni-01, requires port 443. dns-01 requires configuration of your DNS provider. I personally make use of tls-sni-01 and dns-01 in different situations.