Best practices is having a valid cert on the mail server(s), to only accept encrypted traffic (e.g. not listen on port 80) and to redirect non-encrypted port 80 traffic to SSL/TLS port 443. 

However if you use LetsEncrypt, you need to pass the inbound LetsEncrypt request without a redirection. There are numerous ways to do this, but if you want to not have to create a custom firewall rule for LetsEncrypt traffic and not have to worry about non-standard TCP ports read on...

Steps for this:

1. Configure HaProxy to recognize and forward the ".well-known/acme-challenge/" and redirect other port 80 traffic to 443

#CaCert Test URI to see if its a letsencrypt request for certbot
acl letsencrypt-acl path_beg -i /.well-known/acme-challenge/

# Redirect to 443 if client request is on port 80
acl host_MAILHOST hdr(host) -i MAILHOST_FQDN
redirect scheme https code 301 if host_MAILHOST !letsencrypt-acl

#Otherwise pass on the traffic to the mail server certbot request matching TCPPORT (80 below)
use_backend MAILHOST_CERTBOT if letsencrypt-acl host_MAILHOST

# Don't interfere with Certbot requests on this HaProxy server
use_backend letsencrypt-backend if letsencrypt-acl !host_MAILHOST

...

#Pass on CaCert test without check to see if server is alive. It usually isn't
backend MAILHOST_CERTBOT
  server MAILHOST80 INTERNAL.ADDRESS:80

2. Renew but use port 80 for the inbound request (as root on the mail server). Note: you don't have to use port 80, but if not then you have to setup firewall, HaProxy, etc accordingly.

letsencrypt renew --standalone --agree-tos --email XXX@YYY --preferred-challenges=http --http-01-port=80