As far as I understand your situation, I think you won’t receive any “mail.domain.com” certificate because it is not a regular IIS website. So LetEncyptWinSimple is not able to create the necessary verification files in the LetsEncrypt subfolder of the wwwroot.
I encounter the same situation with our mail server and solve it like this:
- make sure the mail server is not using the default SSL port, but e.g. 451
- create a IIS site binded to mail.domain.com
- ask certificate with LetEncyptWinSimple. As it is a real IIS website you will get it.
If your mail server is web based, you could consider place this rewrite rule in your web config
<rule name="LetsEncrypt" stopProcessing="true">
<match url="^\.well-known.*$" />
<action type="None" />
<rule name="Vers https://mail.domain.com:451" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<action type="Redirect" url="https://mail.domain.com:451" />
So it is really transparent for the users as when they uses mail.domain.com they are automatically redirected to https://mail.domain.com:451
Hope this wil help.