Best practices is having a valid cert on the mail server(s), to only accept encrypted traffic (e.g. not listen on port 80) and to redirect non-encrypted port 80 traffic to SSL/TLS port 443. 

However if you use LetsEncrypt, you need to pass the inbound LetsEncrypt request without a redirection. There are numerous ways to do this, but if you want to not have to create a custom firewall rule for LetsEncrypt traffic and not have to worry about non-standard TCP ports read on...

Steps for this:

A client with wordpress was getting hundreds of attempted logins per hour of attempted logins. Even with automatic IP blocking with Wordfence the number of attacks continued as the attackers would just switch IPs as soon as one IP was blocked.

One can change the login page without needing to modify the server or wordpress with the following HAproxy commands

I hate going to businesses who offer "free wifi" but then block port 22. Also I've noticed that Comcast blocks port 22 at some places I've visited.  I used to get around it by running ssh over port 443 - but more recently businesses have been blocking that as well and when you ask why - their IT department has no idea. It's ridiculous and a major problem when it blocks access to git repositories, etc. Fortunately setting up ssh over SSL is easy with HaProxy.

1. Create .pem files for each domain of key, crt, and intermediate cert (if any):

sudo cat DOMAIN.key DOMAIN.crt CRT_intermediate_sha2_sha1root.crt  > dom1.pem

2.  Edit haproxy file and have list of domain.pem files bound to port 443. Note: you also need mode=http, some variants shown