Let’s Encrypt does not offer wildcard certificates for http-01 validation. You must use dns-01 or include multiple alternate names on a non-wildcard certificate. (up to 100)
Certify can spin up a temporary port 80 server to serve the challenge requests that Let’s Encrypt requires. The option is in the Settings tab, ‘Enable Http Challenge Server’.
Certificate Deployment can be set to No Deployment to ignore Windows/IIS.
For my personal server, I have 3 deployment tasks configured…
- Export PEM - Primary + Intermediate Certificate chain (*.cer)
- Export PEM - Private Key (*.key)
- Restart Service: hMailServer
I have hMailServer already configured to use a static file path for the above files, so restarting the service refreshes the certificates used.
I’m not really sure the MX records pointing anywhere matter. You’re securing a client’s SMTP/POP/IMAP to hMailServer. You don’t tell an email client about your MX records because it doesn’t care. You tell it about the hMailServer’s domain name/port. You can use CNAME records to forward one domain to another, but it will not make the client accept a certificate that doesn’t mention the first domain… so it’s not useful here.
I’m not aware of hMailServer having something like SNI where you can have many certificates enabled instead of one certificate that has all domains.