[ProxCoques]

LetsEncrypt needs port 80 open to the outside so that it can verify/renew certificates. I don't have port 80 open on the mail server though.

[Whitestrake]

LetsEncrypt actually has multiple options available for validation. Only one challenge type, http-01, requires port 80 to be open. Another, tls-sni-01, requires port 443. dns-01 requires configuration of your DNS provider. I personally make use of tls-sni-01 and dns-01 in different situations.