Then you will not be able to obtain a cert in the way you're trying to do it. When you're using the http-01 validator, the Let's Encrypt servers attempt to connect to http://$HOSTNAME/.well-known/acme-challenge for each $HOSTNAME you want on the certificate. If $HOSTNAME is not running a webserver, and you're unable or unwilling to run one for even the short period of time necessary to obtain the cert, you won't be able to use the http-01 validator (nor will you be able to use the TLS-SNI validator, as it also requires a running webserver on $HOSTNAME). You could run 'certbot standalone' on the mail server, which will fire up its own web server for the sole purpose of validating control over the hostname.
If you don't want to use "certbot standalone" either, your best option is to use the DNS validation. This will require you to create a DNS TXT record with a specified value, which will need to be done each time you issue a certificate. To be practical, this method requires that your DNS host have an API through you can automate changes to those records.