Best practices is having a valid cert on the mail server(s), to only accept encrypted traffic (e.g. not listen on port 80) and to redirect non-encrypted port 80 traffic to SSL/TLS port 443. 

However if you use LetsEncrypt, you need to pass the inbound LetsEncrypt request without a redirection. There are numerous ways to do this, but if you want to not have to create a custom firewall rule for LetsEncrypt traffic and not have to worry about non-standard TCP ports read on...

Steps for this:

A client with wordpress was getting hundreds of attempted logins per hour of attempted logins. Even with automatic IP blocking with Wordfence the number of attacks continued as the attackers would just switch IPs as soon as one IP was blocked.

One can change the login page without needing to modify the server or wordpress with the following HAproxy commands

2016: Infrastructure as a Service (IAAS) and Application Architecture:

Client requested upgrade of a legacy system for an organization that engages potential voters in U.S. elections across dozens of campaigns. Migrated to a full virtualized IAAS microservices architecture with virtual firewalls, virtual LANs, and virtual DEV/TEST/PROD servers. Negotiated contract for service, did load testing to predict needed allocation of resources, and led team for a successful roll-out, and hosted solution.

Originally setup in MySQL and moved to MariaDB